ClawHub

Superior Trade

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed trading automation skill that can trade real funds, but its financial authority is aligned with its stated purpose and includes user-confirmation safeguards.

Install only if you intend to let an agent manage Superior Trade backtests and live trading. Treat SUPERIOR_TRADE_API_KEY like a financial credential, prefer dry-run/backtests first, confirm every live deployment or deposit carefully, and set conservative stake, stoploss, and wallet exposure limits before using real funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly instructs submitting Hyperliquid wallet credentials during deployment but provides no user-facing warning, consent checkpoint, or secure-handling guidance for sensitive secrets. In a live-trading skill, this creates a real risk of credential exposure, unsafe collection practices, and unauthorized fund access if the agent logs, echoes, stores, or mishandles the wallet information.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation phrase is very broad: it triggers on 'running, interpreting, or designing backtests' and 'anything about backtest windows, trade-count thresholds, exit-reason mix, parameter sweeps, walk-forward validation, zero-trade diagnosis, compute-cost estimation, or "is this backtest result trustworthy?"'. In a trading assistant, this can cause the skill to activate during many ordinary finance conversations, increasing the chance that its prescriptive guidance overrides more appropriate context-specific safeguards or causes unintended tool usage/workflow steering.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explicitly recommends a recurring automated buy strategy with `stoploss = -0.99`, no normal exit path, and ongoing position accumulation, but it does not provide clear risk warnings, capital-allocation limits, or safeguards against indefinite exposure growth. In a trading automation skill, this is dangerous because users may deploy it as-is and incur large losses or uncontrolled capital commitment during prolonged drawdowns.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This file provides concrete live deployment guidance for a futures short strategy, including isolated margin configuration, short-enabled logic, and operational recommendations, but does not include a clear, prominent warning about financial loss, liquidation, leverage risk, or suitability constraints. In the context of an agent skill that may be used directly by operators, this omission can encourage unsafe real-money deployment based on limited backtest evidence and understated risk.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description is intentionally broad and includes many aliases such as 'ladder buy', 'scaling-in', and 'buy more when it dips', which can cause the agent to invoke this skill for generic trading requests that are not actually asking for a grid-style strategy. In a trading context, over-broad routing is risky because it can steer users into a leveraged averaging-down strategy with materially different risk characteristics than simpler position-management or DCA approaches.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill promotes a capital-intensive averaging-down strategy with up to five additional entries, a very deep stoploss (-30%), and disabled ROI auto-closing, but it does not present an explicit financial-risk warning commensurate with the strategy's loss profile. In this context, the danger is amplified because users may treat the documented backtest results and implementation guidance as approval to deploy a martingale-like strategy without understanding tail risk, wallet exposure, or regime sensitivity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal