ClawHub

Uniswap Setup DCA

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated DeFi automation purpose, but it can set up ongoing automated trading and funding with too little clear bounding for a financial workflow.

Install only if you understand that this may authorize recurring on-chain trades, not just a one-time swap. Before using it, confirm the wallet, token pair, per-trade amount, maximum total budget, schedule, end date, Gelato funding source, and how to pause or cancel the automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises capabilities such as persistent configuration, scheduling, monitoring, and Gelato automation, but the allowed tools only support quotes, balances, safety checks, and swap execution. This mismatch can mislead an operator into believing recurring execution and state tracking are in place when they are not, creating a dangerous gap between expected and actual behavior for a financial automation workflow.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs creation and funding of an autonomous Gelato task for recurring swaps without a strong, explicit warning that this enables ongoing future spending after setup. In a trading context, recurring on-chain execution is materially different from a one-time swap, and inadequate disclosure can cause users to authorize persistent automated spending they did not fully understand.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal