ClawHub

Cl Lp Rebalancer

Security checks across malware telemetry and agentic risk

Overview

This is a real automated DeFi rebalancer, but it has live wallet-changing authority and under-disclosed cross-platform data and notification behavior.

Install only if you intend to run an automated trading bot with real wallet authority. Use a dedicated limited-funds wallet, avoid shared Discord/Telegram configs unless you want notifications sent there, do not set Binance or Hyperliquid variables unless you want those balances queried, and verify live behavior manually before enabling the cron job.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Tainted flow: 'req' from os.environ.get (line 2250, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
).hexdigest()
        url = f"https://fapi.binance.com/fapi/v2/balance?{query}&signature={sig}"
        req = urllib.request.Request(url, headers={"X-MBX-APIKEY": BINANCE_API_KEY})
        with urllib.request.urlopen(req, timeout=10) as resp:
            data = json.loads(resp.read())
        for asset in data:
            if asset.get("asset") == "USDT":
Confidence
88% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill aggregates and exposes balances from Hyperliquid and Binance in status/reporting flows even though the metadata describes a Uniswap V3 LP rebalancer. In an agent environment, this creates unnecessary cross-account data exposure and violates least-privilege expectations by expanding visibility into unrelated assets and platforms.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads Discord and Telegram tokens from unrelated local agent config files (~/.openclaw, ~/.zeroclaw, etc.) rather than only from this skill's own scoped configuration. This crosses trust boundaries: a skill intended for LP management should not automatically harvest messaging credentials from other tools, and it can lead to unauthorized outbound messaging using accounts the user did not grant to this skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill accesses Binance Futures and Hyperliquid account data unrelated to its advertised Uniswap V3 LP automation role. In this context that is dangerous because users may provide exchange credentials elsewhere on the host, and the skill will opportunistically consume them to widen its view of the user's portfolio without clear necessity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README clearly promotes automated live on-chain actions including rebalancing, swapping, claiming, removing liquidity, and closing positions, but it does not prominently warn that these operations move real assets and can incur trading loss, slippage, gas costs, smart-contract risk, and irreversible execution. In a DeFi trading skill, omission of this warning is materially dangerous because users may treat the automation as informational rather than as a live asset-moving strategy.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup instructions tell users to copy .env and populate API keys and wallet address, but provide no warning about secure secret handling, file permissions, shell history exposure, backup leakage, or the sensitivity of wallet-related credentials. Because this skill is intended to execute on-chain DeFi operations, mishandling these secrets could enable unauthorized trades, fund movement, or account compromise.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The documented trigger phrases for `status` are broad enough to match ordinary portfolio questions, which can cause the skill to activate unexpectedly. In a financial skill with cached and live account queries, unintended invocation can expose sensitive holdings data or trigger external calls without the user clearly intending to use this skill.

Missing User Warnings

High
Confidence
96% confidence
Finding
This skill performs destructive financial operations such as claim, redeem, swap, deposit, reset, and close, but only meme-coin setup requires explicit confirmation; normal rebalance and close flows do not require a general user approval gate. In the context of on-chain asset management, missing confirmation for value-moving actions can directly lead to unauthorized trades, position closure, slippage losses, and irreversible fund movement.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal