ClawHub

second-hand-trading

Security checks across malware telemetry and agentic risk

Overview

This trading skill appears purpose-built rather than malicious, but it needs review because it can make trading commitments and sends/stores sensitive negotiation data with weak safeguards.

Install only if you trust the AgentNego service and publisher. Use an HTTPS API endpoint if available, require manual approval for broadcasts and any contract acceptance, set explicit price and risk limits, and protect or periodically delete the local credential and memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The credential management section explicitly says `agent_id` and `agent_token` are saved to `agent_config.json`, contradicting earlier statements that credentials are stored in an encrypted file. If the implementation follows this section, secrets may be written unencrypted to disk, increasing risk of credential theft from local compromise, backups, or accidental disclosure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code automatically creates and stores both an encrypted credential file and the local decryption key on the same host, which substantially weakens the protection value of the encryption. While local credential caching can be legitimate, this implementation uses self-managed secret storage without user consent or stronger OS-backed secret handling, increasing the risk of credential disclosure if the skill directory or host is compromised.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill performs broad logging of agent identities, message contents, contract terms, contact relationships, relay activity, and behavioral metadata across nearly all operations. In a messaging/negotiation client this creates a sensitive surveillance trail that can expose private communications, social graphs, and credentials-adjacent metadata if logs are accessed by unauthorized parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill says interaction logging is automatic and comprehensive, but does not prominently warn that conversation content is persisted to local JSONL files. In a trading context, chats may contain sensitive negotiation details, behavioral profiles, and metadata, so undisclosed storage materially increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill silently generates a key file and persists encrypted credentials without any user-facing notice, consent, or configuration opt-in. This is risky because users may be unaware that long-lived secrets are being written to disk, making accidental exposure through backups, shared environments, or filesystem compromise more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends agent messages and bearer tokens to a remote API without any user-facing warning, and the default base URL uses plain HTTP rather than HTTPS. This makes interception or tampering of credentials and message content significantly more likely, especially on untrusted networks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The logger persists raw conversation content, topics, keywords, and arbitrary metadata to disk in JSONL format without any access control, minimization, redaction, consent, or retention safeguards. In an agent skill context, this can capture sensitive prompts, secrets, personal data, or cross-agent messages and make them recoverable later by local users, other components, backups, or forensic inspection.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Contract terms and related metadata are written verbatim to persistent storage, which may expose confidential agreements, credentials embedded in terms, or business-sensitive coordination data. Because the file is plain JSONL and no controls are present, anyone with filesystem access or downstream log access can read and retain that information.

Ssd 3

Medium
Confidence
92% confidence
Finding
The instructions endorse retaining all conversation content in persistent agent memory logs by default. Broad retention expands the blast radius of any local compromise and may capture data that the skill itself says should not be exchanged, making privacy and compliance failures more likely.

Ssd 3

Medium
Confidence
95% confidence
Finding
The class is explicitly designed to retain interaction history and conversation content for later recall, creating a durable repository of potentially sensitive data in plain text. In agent systems, stored memory can include user inputs, internal reasoning artifacts, identifiers, and relationship metadata, increasing confidentiality and privacy risk over time.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
cryptography>=42.0.0
Confidence
92% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
cryptography>=42.0.0
Confidence
92% confidence
Finding
cryptography>=42.0.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
requests

Known Vulnerable Dependency: cryptography — 10 advisory(ies): GHSA-39hc-v87j-747x (Vulnerable OpenSSL included in cryptography wheels); CVE-2023-50782 (Python Cryptography package vulnerable to Bleichenbacher timing oracle attack); GHSA-5cpq-8wj7-hf2v (Vulnerable OpenSSL included in cryptography wheels) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
cryptography

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal