Openclaw Bot Prob Trade

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed trading bot rather than malware, but live mode can automatically spend real funds with limited safeguards.

Install only if you intentionally want an autonomous financial trading bot. Keep dry_run enabled until you have tested strategies, use limited funds and scoped/revocable API keys, avoid auto-restart live deployments until risk limits are durable, verify outbound integrations before enabling optional strategies, and do not rely on guaranteed-profit claims.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 79% confidence
Finding: The skill exposes meaningful capabilities such as environment access, file reads, and network use, but does not declare corresponding permissions or prominently communicate them. In an autonomous trading context, undeclared capabilities reduce transparency and can let the bot access secrets or make outbound requests in ways users did not explicitly authorize.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 93% confidence
Finding: The documented behavior understates materially riskier functionality: direct calls to external LLM providers, use of externally supplied API keys, and broader external data fetching than basic market scanning. For a trading bot, this expands the trust boundary and attack surface significantly, because sensitive credentials and trading decisions may be influenced by undocumented third-party services and unreviewed data sources.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The deployment guide states the bot only makes outbound HTTPS connections to prob.trade, but elsewhere documents optional integrations with LLM, NOAA, and social-media APIs. This mismatch can mislead operators into creating overly permissive or overly restrictive egress rules, weakening network hardening assumptions and monitoring coverage.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The docstring describes a market-neutral pair arbitrage strategy that profits by eventually holding both YES and NO below a combined cost of 1.00, but the implementation only buys whichever side is currently cheaper and never tracks or completes the opposite leg. In an autonomous trading bot, this mismatch is dangerous because operators may believe they are running a bounded-risk arbitrage strategy when they are actually taking directional exposure on a single outcome, which can lead to substantial unexpected losses.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill does not provide a clear, prominent warning that running the bot can execute real-money trades and affect user funds. In an autonomous trading tool, insufficient warning increases the likelihood of accidental execution, misuse by agents, or misunderstanding of dry-run assumptions, leading directly to financial loss.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation includes realistic API key fields and example secret values inline in configuration snippets, including directly placing `llm_api_key` in `config.yaml` and a hardcoded bearer token in sample code. In a trading bot context, users are likely to copy these patterns into source-controlled files or reusable strategy code, which increases the chance of credential leakage and downstream account/API abuse.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: In live mode, the engine places orders automatically whenever strategy and risk checks pass, with no explicit confirmation gate, kill-switch prompt, or second-factor approval in the order path. For an autonomous trading bot, this materially increases the chance of unintended real-money trades from misconfiguration, faulty strategy logic, bad market data, or compromised upstream components.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The `run` command immediately instantiates the trading engine and starts the autonomous loop without any explicit confirmation, warning, or clear indication that real orders may be placed. In the context of a Polymarket/prob.trade trading bot, this increases the risk of accidental live trading due to operator error, misconfiguration, or misunderstanding of whether `dry_run` is enabled.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal