ClawHub

Apex

Security checks across malware telemetry and agentic risk

Overview

This ApeX skill appears to do what it advertises, but it gives an agent live trading and account-changing authority with weak built-in safeguards.

Install only if you intentionally want an agent to assist with ApeX perpetual-futures trading. Use testnet or tightly scoped credentials where possible, keep the Omni seed private, require explicit human confirmation before trades, cancellations, or reward enrollment, and review or delete any generated trading-state.json file containing portfolio data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script emits standalone market-entry signals such as 'Enter BTC LONG/SHORT' based on CoinGecko data, which goes beyond the stated ApeX skill purpose of trading/monitoring on ApeX and into unsolicited strategy generation. In a trading skill, this is risky because users may treat these outputs as authoritative execution guidance despite the simplistic logic and lack of suitability, risk, or warning controls.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code derives momentum signals from short-term price and volume changes and converts them into direct actions like 'Consider LONG entry' and final 'TRADE SIGNAL' recommendations. This is dangerous because it creates execution-adjacent advice using a naive heuristic, which may drive financial decisions without adequate safeguards, and it is not justified by the stated portfolio/execution utility of the skill.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The Chinese trigger examples include very generic phrases like "报名活动" and "参加活动," which can match ordinary conversation about joining an activity rather than an explicit request to submit an ApeX/OpenClaw enrollment. In a trading skill with an action that can submit reward enrollments by default, this broad matching materially increases the chance of unintended invocation and unauthorized action initiation.

Natural-Language Policy Violations

Low
Confidence
85% confidence
Finding
The skill adds Chinese-only trigger handling but does not state that the user must be interacting in Chinese, nor does it require a language-aware opt-in or disambiguation step. In this context, multilingual broad triggers increase the attack surface for accidental or ambiguous activation of a private account action, especially when paired with automatic default behavior for reward submission.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script outputs direct trading recommendations such as 'Enter BTC LONG' or 'Enter ETH SHORT' with no cautionary warning, uncertainty disclosure, or statement that the signal is informational only. In a trading-related skill, this increases the likelihood that users will act on oversimplified signals as if they were endorsed recommendations, creating avoidable financial harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script exposes private account actions such as market/limit order placement, reward submission, and cancel-all without any confirmation prompt, dry-run mode, or runtime warning. In an agent skill context, this is especially dangerous because natural-language misunderstandings, prompt injection in upstream tooling, or accidental invocation can directly trigger real financial transactions and order cancellations with immediate monetary consequences.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal