ClawHub
Back to skill

Security audit

Freqtrade Crypto Bot

Security checks across malware telemetry and agentic risk

Overview

This skill may be legitimate quant-trading reference material, but its Freqtrade crypto branding conflicts with ZVT/A-share instructions and high-impact trading surfaces.

Review before installing. Use only in an isolated environment, treat it as offline backtesting unless you explicitly choose otherwise, do not provide real exchange, broker, wallet, JoinQuant, or QMT credentials, and require manual confirmation before any install, data fetch, broker connection, or order-related command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest advertises a Freqtrade crypto backtesting skill, but the body broadens scope to A-share/HK equities, multiple unrelated providers, and a pipeline that reaches trading execution. This kind of scope drift can cause the agent to select the skill in contexts it was not designed or authorized for, increasing the chance of unsafe actions, wrong tooling, or unintended market operations.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The declared use case is strategy analysis and backtesting, but the pipeline explicitly includes trading_execution. In an agentic environment, that mismatch can escalate a read/analyze request into order placement behavior, especially if downstream orchestration trusts pipeline stages more than prose descriptions.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The human-facing summary materially misrepresents the skill’s purpose: it describes a ZVT-based A-share/HK/crypto strategy builder, while the metadata says this skill is a Freqtrade-based multi-exchange OHLCV backtesting tool. This mismatch can mislead users into invoking the wrong workflows, trusting unsupported capabilities, or supplying credentials/data intended for different platforms, which is a genuine security and safety issue even if it appears more likely due to poor packaging or copy-paste error than deliberate abuse.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed advertises a Freqtrade crypto backtesting skill, but the operative preconditions, install steps, and execution flow pivot to ZVT and A-share workflows. This is dangerous because users and host agents may execute the wrong tooling stack, fetch the wrong market data, or run unintended code paths under a misleading skill identity, undermining trust boundaries and causing incorrect or unsafe automation behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented architecture and user-facing behavior describe ZVT A-share pipelines rather than Freqtrade crypto analysis. In a skill system, this mismatch can cause the agent to select incompatible data sources, assumptions, and execution rules, leading to wrong outputs or unintended actions while the user believes they are operating in a different domain.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file exposes live-trading and force-trading RPC capabilities even though the skill is described as historical OHLCV loading and backtesting analysis. Unnecessary live-trading surfaces materially increase risk because a user or orchestrator could invoke state-changing trade actions under a skill that should have been read-only or simulation-only.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The user-facing documentation actively claims ZVT/A-share assistance while the manifest identifies a Freqtrade crypto bot. This contradiction is dangerous because users rely on these descriptions to judge what code, markets, and privileges are being used; misleading docs can induce execution of unintended workflows and mask risky behavior behind false expectations.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The human summary and prompts steer users toward ZVT A-share use cases instead of the declared Freqtrade crypto analysis task. In an agentic environment, prompt steering is operationally significant: it can redirect user intent, trigger wrong toolchains, and conceal the actual behavior of the installed skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The execute trigger is overly broad, relying on fuzzy intent matching plus common verbs like run/execute/backtest/fetch. That can cause accidental activation on loosely related user requests, which is especially risky here because the skill text also references data collection and trading execution flows.

Vague Triggers

Medium
Confidence
84% confidence
Finding
An overly broad execute trigger can cause accidental activation on generic phrases like common action verbs combined with loose intent terms. In a skill capable of installation, data access, or execution, unintended triggering increases the chance of surprising actions and misrouted workflows, especially given the file's broader identity confusion.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal