ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

aiusd-pro

v1.0.0

AIUSD Pro — AI-powered trading agent with built-in reasoning. Use when user wants to trade, check balances, or manage positions through natural language conv...

0· 151·0 current·0 all-time
bytech@aiusd@tech-fe-aiusd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AI trading CLI) aligns with requiring node and using a CLI. However the package provenance is missing (no homepage/source) and the registry owner is unknown — for a financial/trading tool that matters for trust.
!
Instruction Scope
Runtime instructions tell the agent to run npx -y aiusd-pro commands, always relay stdout 'as-is' including a browser link, and run long-running background tasks. This delegates trading decisions and execution to a remote backend and asks the agent to expose returned links and outputs verbatim — increasing chance of leaking sensitive data or following untrusted links.
!
Install Mechanism
There is no install spec, but the SKILL.md explicitly uses npx -y aiusd-pro, which downloads and executes code from the npm registry at runtime. That is a high-risk dynamic install (supply-chain/execution of unvetted code), especially given no homepage or repo to audit.
Credentials
The skill declares no required environment variables or credentials, which is proportionate on its face. But a trading tool will likely require browser-based authentication or wallet connections at runtime — the instructions rely on a login flow (browser + session_id) without clarifying what credentials or keys may be exposed to the backend.
Persistence & Privilege
always:false and no install/write steps are declared. The skill does not request persistent system privileges. It can run autonomously (platform default), which increases blast radius but is not by itself a disqualifying issue.
What to consider before installing
This skill functions by invoking 'npx -y aiusd-pro', which downloads and runs an npm package at runtime — a significant supply-chain risk. Before installing or using it: verify the npm package and its source repository/homepage, review the package code (or prefer a vetted binary), avoid providing private keys or wallet seeds, run the CLI in a sandboxed environment if possible, and confirm what the backend will do with your account/session data. If you cannot verify the package origin, treat it as untrusted and do not use it for real trading or with any real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk97323g0a4yfz4v1z0fxrhy799830wpv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
Binsnode

Comments