ClawHub

Auto Crypto Trader AI

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims by analyzing crypto markets and placing Binance trades, but it has high-impact live trading authority and unclear billing defaults that need review before use.

Install only after reviewing the billing behavior and adding your own guardrails. Use Binance testnet first, use a dedicated trade-only API key with withdrawals disabled and IP restrictions, keep limited funds available, require manual confirmation for every live order, and verify SkillPay configuration before passing any user ID or credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares sensitive capabilities via required environment variables and operational commands that imply network access, but it does not explicitly declare permissions. This undermines transparency and consent because an agent or user may not realize the skill can access secrets and communicate with external services such as Binance and billing endpoints.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a crypto trading tool, but the findings indicate it also performs third-party billing behavior not clearly disclosed in the primary description, including communication with an external payment platform and a hardcoded default billing API key. Hidden monetization and undisclosed external communications are dangerous because they can lead to unauthorized charges, secret leakage, and user deception in a high-risk financial workflow.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script is presented as a market-analysis tool, but when not run in test mode it imports billing code and charges a user before producing analysis. This hidden side effect expands the trust boundary beyond the declared purpose and can cause unauthorized financial impact if an agent invokes the script assuming it is read-only analysis.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The security manifest claims the script only makes public Binance API requests, but the executable path also performs billing through an undeclared module. Misrepresenting capabilities is dangerous because agents and reviewers may grant execution permissions based on incomplete disclosures, leading to unexpected monetary actions.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
The file implements a payment and billing integration even though the skill is described as an AI-driven Binance trading system. Hidden or unrelated monetization logic increases supply-chain risk because users and operators may deploy code that performs unexpected network actions and payment workflows outside the declared purpose.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The external payment-platform integration is not justified by the stated trading purpose, so it introduces an unnecessary third-party dependency that handles identifiers and billing state. In a skill context, unexplained external integrations are more dangerous because they expand data exposure and enable undisclosed monetization or tracking.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The docstring states that each call charges 1 token, but the code sends an amount of 0, creating a mismatch between stated and actual billing behavior. This inconsistency is dangerous because it undermines auditability and may conceal broken billing, deceptive logging, or future changes that charge differently than documented.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs billing as a side effect of trade execution even though the skill is described as an automated crypto trading tool, not a payments tool. Hidden or non-obvious charging behavior creates an integrity and consent risk because invoking the skill can trigger financial charges unrelated to the core exchange action.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Charging the user from within a trade execution script is outside the stated purpose and can lead to unexpected monetary impact. In an agent setting, this is especially risky because the agent may invoke the script believing it only places trades, while the script also initiates billing side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to provide live Binance API credentials for an autonomous trading skill but does not warn about credential sensitivity, least-privilege key configuration, or restricting withdrawal permissions and IP access. In the context of an AI-driven trading tool that can place real-money trades, this omission increases the chance that users supply overly privileged production keys, which could lead to account compromise or unintended financial loss if the skill or host agent is misused.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill description empowers autonomous market analysis and trade execution with broad wording and minimal trigger constraints. In an agent setting, vague invocation criteria can cause the tool to be used in unintended contexts, increasing the chance of accidental trading, credential use, or billing events without sufficiently explicit user authorization.

Missing User Warnings

High
Confidence
97% confidence
Finding
The markdown explicitly instructs the agent to execute real Binance market orders, yet it lacks a prominent user-facing warning about financial loss, irreversible execution, slippage, and the risks of autonomous trading. In this context, the omission is especially dangerous because the skill handles live assets and encourages proceeding from analysis directly to trade execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code charges the supplied user automatically unless --test-mode is set, with no interactive warning, confirmation, or evidence of prior consent in this script. In an agent setting, this can lead to silent charges triggered by ordinary analysis requests, creating unauthorized or disputed transactions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The module accesses a billing API key and performs billing-related network calls without clear user-facing disclosure beyond internal comments/docstrings. In an agent skill, undisclosed billing behavior is risky because operators may unknowingly enable external charging or user-data transmission to a third-party service.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code can place live market buy/sell orders immediately with `create_market_order` and no explicit confirmation gate, dry-run default, or user acknowledgment. Because market orders are irreversible financial actions and the skill is designed for autonomous trading, the absence of an execution safety barrier materially increases the risk of accidental loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal