ClawHub

Cryptofeed Ws Feeds

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it mixes a crypto market-data skill with broader stock/backtesting, credentialed exchange, live-trading, external storage, and rate-limit-bypass guidance that users should review carefully.

Install only if you intentionally want a broad finance/trading assistant, not just crypto market-data ingestion. Use read-only or paper-trading credentials unless you explicitly approve live trading, review generated code before running it, avoid rate-limit-bypass workflows, and set clear limits for storage locations, retention, and external data sinks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is declared as a crypto market-data ingestion/storage capability, but the documented pipeline extends into factor computation, target selection, trading execution, and visualization. This scope drift is dangerous because an agent may invoke the skill for higher-risk trading actions that are outside the stated purpose, reducing operator awareness and weakening approval boundaries.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The documentation requests A-share/HK stock provider, backtest period, and stock entity parameters even though the skill is presented as a crypto websocket feed tool. This mismatch can misroute users and agents into running unrelated market-analysis or trading workflows, creating unsafe tool selection and potentially unauthorized financial actions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file initially presents a narrow crypto real-time quotes function, then later shifts toward stock strategy and backtesting behavior. In an agentic environment, contradictory intent is risky because routing and safety decisions often rely on the top-level description; hidden secondary behavior can bypass user expectations and policy constraints.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The human-facing summary describes a different skill than the manifest: a ZVT-based quant/backtesting assistant focused on A-share/HK/crypto workflows rather than a crypto websocket feed ingestor. This kind of capability/identity mismatch can mislead users and downstream agents into invoking the skill for unintended tasks, causing unsafe automation decisions, incorrect code generation, or access to data/providers outside the expected scope.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The summary explicitly defaults users toward A-share workflows and provides examples centered on Chinese equity strategy development, which contradicts the manifest's crypto-feed-only intent. In context, this increases the chance that users or orchestration systems supply the wrong inputs, trust incorrect domain assumptions, or route sensitive financial tasks to a skill that may not support them safely or correctly.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The use-case document materially exceeds the declared skill scope by advertising authenticated trading/account features and many unrelated storage and transport integrations. This scope drift is dangerous because it can mislead users and downstream agents into granting credentials, enabling network egress, or invoking capabilities they would not expect from a market-data/ArcticDB skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented authenticated exchange examples include account monitoring and in at least one case trade execution/order management, which is far riskier than passive market-data streaming. If a user or agent trusts the stated description and supplies exchange API keys, this mismatch can lead to unauthorized account actions, fund loss, or exposure of sensitive trading data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation advertises numerous external sinks and transports beyond ArcticDB, including databases, message brokers, cloud pub/sub, sockets, and raw file capture. This broadens the effective data-exfiltration and persistence surface well beyond the declared purpose, increasing the chance that users enable unexpected outbound transmission or long-term storage.

Description-Behavior Mismatch

Critical
Confidence
99% confidence
Finding
The seed is presented as a cryptofeed WebSocket market-data skill, but large portions of the file define an unrelated ZVT A-share quant/backtesting and strategy-generation workflow, including stock-data preconditions, backtest validators, semantic locks, and A-share user guidance. This is dangerous because it can cause the agent to execute the wrong capability set, request/install unrelated packages, and produce finance actions outside the user’s expected scope, creating severe confusion, unsafe execution paths, and policy boundary bypass via skill misrepresentation.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill includes authenticated account monitoring and trade-execution-oriented capabilities that exceed the declared purpose of streaming and persisting market data. In a finance context, expanding a data-ingestion skill into account/trading behavior increases the blast radius substantially because an agent may handle credentials or initiate privileged workflows a user did not intend to authorize under this skill.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The seed introduces unrelated A-share quant strategy generation, backtesting entry points, and hard-gated validation logic despite advertising a cryptofeed market-data capability. This mismatch can cause the agent to generate or run stock-strategy code instead of market-data tasks, leading to unauthorized workflow shifts and unsafe assumptions about user intent in a financial system.

Intent-Code Divergence

Critical
Confidence
99% confidence
Finding
The user-facing summary explicitly describes the assistant as an A-share ZVT quant strategy builder, directly contradicting the skill’s advertised cryptofeed WebSocket market-data purpose. In a financial-agent setting, contradictory documentation is especially dangerous because users and host agents may rely on the wrong risk model, causing unintended code generation, data access, or trading-related behavior under false premises.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The execute trigger activates on broad intent matching plus generic action verbs such as run/execute/fetch/collect. Overbroad activation increases the chance that an agent will invoke the skill in the wrong context, especially given the document’s mixed data, strategy, and trading language.

Vague Triggers

Low
Confidence
81% confidence
Finding
Some trigger phrases, especially generic callback-related terms, are too broad to reliably indicate a request for this specific skill. While not directly malicious, such ambiguity can cause accidental activation and incorrect tool use in multi-skill environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Authenticated account and trading examples are presented without clear warnings about credential sensitivity, API-key permissions, or the possibility of account-impacting actions. In practice, this omission can cause users to reuse powerful keys or misunderstand that some examples may place, modify, or cancel orders rather than merely observe data.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation lists many persistence and transmission destinations without warning that market, account, or raw websocket data may be stored externally, forwarded over networks, or retained for long periods. While not inherently malicious, the lack of disclosure increases privacy, compliance, and operational risk for users handling sensitive or proprietary data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest includes authenticated account-access and trade-related behaviors without prominent user-facing warnings about sensitive credentials, account scope, or downstream financial impact. In a crypto context, omission of explicit warnings materially increases the risk of users authorizing account-connected operations without understanding the consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises HTTP proxy use to bypass exchange rate limits and raw WebSocket capture without compliance, privacy, or data-handling warnings. In this context, 'bypass limits' is a red flag because it encourages behavior that may violate exchange terms, trigger bans, or enable collection of sensitive traffic without adequate disclosure.

Ssd 2

High
Confidence
98% confidence
Finding
The use-case explicitly promotes bypassing exchange rate limits through HTTP proxies. In a financial data-collection skill, this is dangerous because it encourages evasive behavior against platform controls, increasing the likelihood of account/IP bans, terms-of-service violations, and use of the skill for abusive scraping or anti-detection activity.

Ssd 2

High
Confidence
98% confidence
Finding
The intent router deliberately maps user requests containing 'proxy' and 'bypass limits' to a supported capability, operationalizing evasive behavior rather than merely documenting it. This makes the skill more dangerous because it lowers friction for misuse and steers the agent toward compliance-violating behavior on request.

Ssd 2

High
Confidence
97% confidence
Finding
The post-install catalog advertises rate-limit bypass as a user-facing supported feature, normalizing and encouraging abusive behavior. Because this appears in discovery/onboarding text, it increases the chance of misuse by making evasion a first-class advertised capability rather than an incidental detail.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal