ClawHub

Tradebot Alpha

Security checks across malware telemetry and agentic risk

Overview

This is a simple read-only connector that sends a user-provided TradeBot Alpha API key and requested symbol to the documented TradeBot Alpha HTTPS API.

Install only if you trust BlueFeza KG and the TradeBot Alpha service with your API key and requested trading symbols. Prefer a safer secret-handling method than typing the key directly in a shell command, and treat trading signals as informational rather than a guarantee or financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises network-capable behavior ('signal fetcher', external API key usage, homepage/API endpoint references) but does not declare any permissions. This creates a transparency and policy-enforcement gap: users and hosting platforms may not realize the skill can make outbound requests, which can bypass expected consent and review controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README clearly states the skill interfaces with a cloud API and that users must obtain and use an API key, but it does not prominently warn that requests, identifiers, and any submitted symbols or analysis inputs are sent to an external third-party service. In a connector skill, this omission can mislead users about data flow and trust boundaries, causing them to expose credentials or trading-related data without informed consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README instructs users to pass the API key via a command-line flag, which can expose secrets through shell history, process listings, audit logs, screenshots, and CI/CD job output. This is a well-known unsafe credential-handling pattern, and the absence of a warning or safer alternative materially increases the chance of credential compromise.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal