ClawHub

Fund Trading Clawhub

Security checks across malware telemetry and agentic risk

Overview

This finance skill appears intended for simulated fund trading, but its artifacts leave important ambiguity about money impact, API destination, and credential safety.

Install only after confirming this is strictly a virtual-money sandbox and verifying which API endpoint the installed command will actually use. Treat the local config and console output as sensitive, do not share or commit them, and require explicit approval before any subscribe, redeem, or cancel command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The changelog states the tool is for simulated trading with virtual funds, while the skill metadata describes real fund live trading. This inconsistency can mislead users and downstream agents about whether actions have real financial consequences, increasing the risk of unsafe or unauthorized trading behavior. In a financial skill, ambiguity about live versus simulated execution is security-relevant because it affects user consent, risk handling, and operational safeguards.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly documents storing client_id, client_secret, and access tokens in a local plaintext-style JSON config file, but does not warn users about credential exposure, file permission hardening, or secure storage expectations. Even though the tool is framed as using virtual funds, these credentials still authenticate to backend APIs and could be stolen by local malware, other users on the same machine, backups, or accidental commits.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes account registration, token acquisition, asset queries, and trade actions against a remote API, but it does not clearly warn that account identifiers, authentication tokens, portfolio data, and transaction instructions are transmitted to an external service. In a financial context, this omission increases privacy, trust, and misuse risk because users may not understand that sensitive financial metadata leaves the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool caches OAuth access tokens and, elsewhere in the file, account credentials in a JSON config under the local data directory without any access-control hardening, encryption, or warning to the user. On a shared workstation, compromised user account, or in environments where the data directory is backed up or collected, these secrets could be recovered and reused to query assets or perform trading actions as the user.

Missing User Warnings

High
Confidence
99% confidence
Finding
During registration, the script persists client_id/client_secret locally and also prints the client secret directly to stdout. Console output is commonly captured by terminal history, logs, screen recordings, remote sessions, and CI wrappers, so exposing a long-lived secret here materially increases the chance of credential theft and unauthorized trading or account access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal