ClawHub

Grid Trading

Security checks across malware telemetry and agentic risk

Overview

This looks like a real crypto grid-trading bot, but it can run continuously, move real funds, grant broad token approvals, and send trading data to Discord or undeclared Telegram destinations.

Install only if you intentionally want an autonomous live crypto trading bot. Use a dedicated low-balance wallet, restricted OKX credentials, private notification channels, and review or disable Telegram discovery, cron scheduling, unlimited approvals, and automatic stop-loss resume before enabling tick.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
_account_id = os.environ.get("ONCHAINOS_ACCOUNT_ID", "")
if _account_id:
    try:
        _sw = subprocess.run(
            ["onchainos", "wallet", "switch", _account_id],
            capture_output=True,
            text=True,
Confidence
83% confidence
Finding
_sw = subprocess.run( ["onchainos", "wallet", "switch", _account_id], capture_output=True, text=True, timeout=10, )

Tainted flow: '_account_id' from os.environ.get (line 85, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
_account_id = os.environ.get("ONCHAINOS_ACCOUNT_ID", "")
if _account_id:
    try:
        _sw = subprocess.run(
            ["onchainos", "wallet", "switch", _account_id],
            capture_output=True,
            text=True,
Confidence
90% confidence
Finding
_sw = subprocess.run( ["onchainos", "wallet", "switch", _account_id], capture_output=True, text=True, timeout=10, )

Tainted flow: 'req' from os.environ.get (line 1265, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
    )
    try:
        urllib.request.urlopen(req, timeout=10)
        return True
    except (urllib.error.HTTPError, urllib.error.URLError, TimeoutError) as e:
        log(f"Telegram send error: {e}")
Confidence
95% confidence
Finding
urllib.request.urlopen(req, timeout=10)

Tainted flow: 'req' from os.environ.get (line 1265, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
},
        )
        try:
            urllib.request.urlopen(req, timeout=10)
            discord_ok = True
        except (urllib.error.HTTPError, urllib.error.URLError, TimeoutError) as e:
            log(f"Discord embed error: {e}")
Confidence
89% confidence
Finding
urllib.request.urlopen(req, timeout=10)

Description-Behavior Mismatch

Low
Confidence
97% confidence
Finding
The manifest describes Discord notification, but the code silently adds Telegram support and will send messages there when credentials are available. Undeclared outbound channels increase the attack surface and can leak trading data to destinations the operator did not expect or review.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill searches multiple home-directory application configs to obtain Telegram credentials unrelated to this skill. That is cross-application credential harvesting behavior and can repurpose secrets from other tools to exfiltrate portfolio and trade data without explicit consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README includes a cron command that runs the trading bot automatically every 5 minutes and can trigger live swaps on-chain, but it does not place an explicit warning near the command that real funds may be moved and losses may occur. In a trading skill, this omission materially increases the chance of accidental deployment with real assets, especially because the example proceeds directly from setup to automation.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup instructions tell the user to copy `.env.example` to `.env` and fill in API keys and wallet information, but they do not warn that these are sensitive secrets that must not be committed, shared, or exposed in logs. Because this skill handles trading credentials and wallet-related data, weak handling of the `.env` file can lead to credential leakage and unauthorized trading.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill is designed to use API credentials, interact with a wallet, and broadcast live swaps, but it does not prominently warn users that running it can move real funds and consume sensitive secrets. In an agent setting, insufficient disclosure materially increases the risk of accidental execution, credential misuse, or users granting dangerous access without understanding the consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill states that Discord notifications include portfolio, PnL, and transaction-related details, but it does not warn that this data is sent to a third-party service. That creates a privacy and operational security risk, especially for trading systems where balances, addresses, and timing data can be sensitive.

Missing User Warnings

High
Confidence
98% confidence
Finding
The bot automatically issues token approvals and executes swaps using the wallet with no user confirmation step, spending limits beyond the immediate trade via max approval. In an agent-skill context this is highly dangerous because any misconfiguration, manipulated account selection, or malicious invocation can directly move funds on-chain.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal