ClawHub

TradingFlow — AI-Powered Intent Trading Across Crypto, Stocks & More

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real TradingFlow crypto automation skill, but it gives an agent high-impact trading, secret, and webhook authority with controls users should review carefully.

Install only if you intentionally want an agent to create and deploy crypto trading bots, manage TradingFlow secrets, and prepare or automate vault operations. Use least-privilege API keys, confirm the API base URL is HTTPS and trusted, store credentials only as secret entries, avoid unauthenticated webhooks for any process that can trade, start with tiny spending limits, and require explicit confirmation before deployments, webhook creation, secret changes, or vault permission changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The skill introduces social-media, notification, and broader automation behavior beyond narrow vault/trading management. These extra surfaces can be used to ingest untrusted content, trigger actions from external channels, or exfiltrate trading signals and account metadata, increasing attack surface beyond the declared purpose. In a crypto-trading skill, unrelated comms operators materially raise risk.

Context-Inappropriate Capability

Low
Confidence
72% confidence
Finding
Generic webhook creation allows external parties or systems to trigger strategy processes and ingest arbitrary signals, which broadens the skill beyond a conversational trading assistant. Without strict validation and scoping, this can become a control channel for unwanted trading logic or data injection. The financial context makes even low-friction signal ingestion sensitive.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill is described as focused on crypto trading, strategy deployment, and vault management, but the API reference also exposes account management, billing, subscription, invitation, and identity operations. This expands the agent's reachable authority beyond the user-declared purpose, increasing the risk of unnecessary sensitive actions such as identity binding changes, API key management, or subscription/account modifications if the agent is over-permissioned or prompt-injected.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The user-secrets API includes creation, update, deletion, and plaintext retrieval of env_var values, which materially exceeds a narrow trading skill and gives the agent access to highly sensitive runtime configuration. Even though encrypted secrets are not readable, readable env vars can still contain credentials or internal endpoints, enabling credential disclosure, lateral movement, or stealthy reconfiguration of deployed trading processes.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation phrases are broad enough to match common conversation like 'my balance', 'help me trade', or 'add secret', increasing the chance the skill is invoked outside clearly intended contexts. In a skill capable of handling secrets, deploying code, and preparing financial transactions, accidental activation can expose sensitive context to an overly powerful workflow. The high-risk domain makes ambiguous triggering more dangerous.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promotes automated trading, vault control, and private-key related setup early, but does not begin with an equally prominent risk disclosure about financial loss, key handling, and irreversible on-chain actions. Users may be steered into high-risk operations before understanding the security model and consequences. In crypto automation, missing upfront warnings materially increases social-engineering and misuse risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reference documents a public unauthenticated inbound webhook endpoint without prominently warning that anyone possessing the tokenized URL can invoke it. In this skill context, webhook-triggered processes may execute trading logic or vault-related automation, so accidental exposure of the inbound URL could lead to unauthorized strategy execution, spam triggering, or resource abuse.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation explicitly states that inbound webhook endpoints require no authentication, which means anyone who obtains or guesses the URL can trigger the linked process. In the context of a crypto trading automation skill, unauthenticated webhook execution can lead directly to unauthorized trades, fund movement, strategy manipulation, or denial-of-service through repeated trigger spam.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits both the strategy content and a bearer API key to a remote service, but it performs no validation that the configured base URL uses HTTPS and gives the user no disclosure that potentially sensitive trading logic will be sent off-host. If TRADINGCLAW_BASE_URL is misconfigured to plain HTTP or an attacker-controlled endpoint, credentials and proprietary strategy code could be exposed in transit or sent to the wrong service.

External Transmission

Medium
Category
Data Exfiltration
Content
External services send POST requests to the `inboundUrl`. No authentication required.

```bash
curl -X POST https://api.tradingflow.fun/api/v1/webhook/inbound/tok_xyz789 \
  -H "Content-Type: application/json" \
  -d '{"symbol": "BTCUSDT", "price": 42000, "signal": "buy"}'
```
Confidence
96% confidence
Finding
https://api.tradingflow.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
[ -z "$NAME" ] || [ -z "$CONTENT" ] && { echo "Usage: create-strategy.sh <name> [language] [chain] <content>"; exit 1; }

curl -s -X POST "$TRADINGCLAW_BASE_URL/strategy" \
  -H "Authorization: Bearer $TRADINGCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d "$(jq -n \
Confidence
86% confidence
Finding
curl -s -X POST "$TRADINGCLAW_BASE_URL/strategy" \ -H "Authorization: Bearer $TRADINGCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal