ClawHub

Solana Copy Trader

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Solana trading bot, but live mode can use a raw private key to automatically sign real swaps until stopped.

Use this only as high-risk financial automation. Keep it in paper/watch mode unless you have audited the code, use a dedicated low-balance wallet, never provide a main wallet private key, pin dependencies, understand Telegram alert leakage, and do not enable live mode without adding your own confirmations and transaction validation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill references environment-based secrets and operational configuration such as PRIVATE_KEY, RPC_URL, Helius API keys, and Telegram credentials, but no declared permissions are documented. That creates a transparency and consent gap: an agent or user may invoke a skill with access to sensitive secrets without an explicit permission boundary, increasing the risk of unintended secret use or exfiltration if the underlying implementation is unsafe.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented behavior extends beyond the declared purpose into alerting, wallet analysis, token safety checks, and external metadata lookups. This mismatch weakens user consent and review because operators may approve the skill for copy trading while overlooking additional data collection, external communications, and analysis capabilities that expand the trust boundary.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file markets the bot as educational and partially watch-only, but it also includes active trading-oriented modes such as copy trading and sniping, plus explicit instructions to enable real execution via a wallet in .env. This mismatch can mislead users, reviewers, or platform operators about the true capabilities and risk profile of the skill, increasing the chance of unsafe deployment.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The documented mode list omits implemented 'copy', 'snipe', and 'safety' modes, which understates the script's actual behavior and hides meaningful operational capability from users and auditors. In a trading bot context, incomplete documentation is security-relevant because it reduces transparency around features that can drive financial actions and token-risk decisions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function is presented as a safety check but only evaluates superficial indicators such as token existence, suffix matching, and presence of name/symbol metadata. In a live copy-trading bot for pump.fun launches, this can mislead downstream logic or users into treating highly risky or malicious tokens as 'safe,' increasing the chance of executing scam, rug-pull, or manipulated trades.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation text is broad enough to match many generic trading or monitoring requests, which can cause accidental activation of a high-risk skill. In this context, accidental invocation is more dangerous because the skill includes wallet tracking, market scanning, and potentially live trade execution, so an overly broad trigger surface can lead to unintended sensitive actions.

Missing User Warnings

High
Confidence
94% confidence
Finding
The documentation prominently describes switching from paper mode to live execution and references real trades, but it does not present an equally prominent warning about loss of funds, irreversible blockchain transactions, malicious token risk, or the dangers of copying unknown wallets. Because this is a financial automation skill tied to private keys and on-chain execution, insufficient warning materially increases the chance of harmful real-money use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document tells users to export a Solana private key from Phantom and paste it into a local `.env` file, but it does not clearly explain that this secret grants full control of funds and can be stolen through source control leaks, logs, backups, malware, or misconfigured deployments. In the context of an autonomous copy-trading bot that may execute live trades, encouraging raw private-key export materially increases the chance of wallet compromise and fund loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script explicitly encourages users to add wallet material to .env to enable real trading, but does so in promotional language and without strong execution-point safeguards or risk disclosures. In a copy-trading/sniping skill, this increases the likelihood that users expose private keys and activate financially dangerous behavior without understanding the consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function sends arbitrary alert content to Telegram using a bot token and chat ID, but the code shown provides no user-facing disclosure, consent, or control over what data leaves the system. In a trading bot context, alerts can include wallet activity, token positions, and strategy-relevant information, so silent outbound transmission can leak sensitive operational or financial data to a third-party service.

Missing User Warnings

High
Confidence
95% confidence
Finding
In live mode, the bot automatically mirrors detected whale buys by calling real execution logic without a just-in-time confirmation, explicit opt-in checkpoint, or execution interlock. In a trading bot context this is especially dangerous because blockchain swaps are irreversible and can be triggered by external on-chain activity, causing immediate real-money loss from bad signals, manipulated whale activity, or parser mistakes.

Missing User Warnings

High
Confidence
98% confidence
Finding
This code deserializes a swap transaction from a remote API, signs it with the configured wallet, and broadcasts it automatically. Even if the quote source is trusted, signing externally constructed transactions without a strong user-facing warning and local verification of expected accounts, amounts, and slippage creates substantial risk of irreversible fund loss if the remote response is wrong, compromised, or mismatched to user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal