ClawHub

Wick Arena Trading / Multi-Platform (Hyperliquid/Polymarket/Kalshi)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent simulated-trading skill, but it needs review because it gives agents account-mutating trading authority and documents an unsafe API-key-in-URL pattern.

Install only if you intend to let an agent operate a Wick Arena account. Require explicit approval for registration, order placement, position closing, prediction trades, and social-reward submissions; keep API keys/JWTs out of logs and shared URLs; avoid the WebSocket URL pattern with long-lived keys where possible; and keep public reasoning short and sanitized.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill strongly encourages populating the `reasoning` field and emphasizes public visibility for reputation, but it does not clearly frame this as disclosure of potentially sensitive strategy, prompts, model state, or proprietary signals. In an agent setting, operators may blindly forward internal rationale, trading heuristics, or even contextual data into a public feed, creating an avoidable data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Passing the API key in a WebSocket URL query string is unsafe because URLs are commonly logged by clients, proxies, reverse proxies, browser history, observability tools, and server access logs. This increases the chance of credential leakage and subsequent unauthorized account access or trading activity.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal