ClawHub

UnifAI Trading Suite

Security checks across malware telemetry and agentic risk

Overview

This trading skill is not clearly malicious, but it gives an AI agent broad financial-tool access with weak scoping and limited user safeguards.

Review carefully before installing. Use only with non-privileged or read-only API keys, avoid connecting wallets or live trading credentials, and assume prompts, conversation context, and tool results may be sent to external LLM and data providers. Prefer running the query-only scripts over the generic chat/server paths unless you have audited and constrained the available UnifAI tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions even though it requires environment variables and appears to perform networked operations. This weakens user/admin review because the manifest understates what the skill can access, increasing the chance of unintentionally granting a tool access to secrets and outbound connectivity without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a narrow trading-insights suite, but the detected behavior is substantially broader: it runs an HTTP server, supports general-purpose chat, queries additional data sources, and exposes trade/portfolio-style actions. This mismatch is dangerous because reviewers and users may trust the benign description while the skill actually introduces a larger attack surface, more data exposure, and potentially action-capable functionality not disclosed in the manifest.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation presents the packaged skills largely as analysis/query helpers while elsewhere in the same file it advertises real trade-execution capabilities, including market and limit order functions. In an agent-skill context, that mismatch can cause operators or downstream agents to invoke the skill under a lower-risk assumption, increasing the chance of unintended financial actions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The agent dynamically fetches whatever tools the UnifAI backend exposes and then allows the LLM to invoke them without any local allowlist, capability filtering, or confirmation step. In a trading-focused agent, this expands authority beyond the documented scope and can enable unintended data access or side-effecting actions if the backend provides broader tools than expected.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The agent fetches dynamic tools from the UnifAI network at runtime and passes them directly to the model, then executes any returned tool calls without allowlisting or scope checks. This creates an overly broad capability surface where a simple user prompt can trigger arbitrary external actions outside the stated trading-insights purpose, especially dangerous because tool definitions are remote and can change independently of the local code.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The system prompt explicitly states the agent can 'execute trades' and lists trading-related tools, while the skill metadata frames the capability as market insights and sentiment analysis. This scope expansion is dangerous because it can cause users or upstream systems to invoke transactional capabilities they did not intend to enable, especially in a high-risk financial context.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The generic chat path retrieves all dynamically discovered UnifAI tools and makes them available to the model, rather than restricting access to prediction-market and sentiment-analysis functions. This creates a capability overexposure issue where the agent may invoke unrelated or higher-risk tools based on prompt injection, model error, or ambiguous user input.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata presents this toolkit as providing trading insights, but it exposes an `execute_trade` action that can perform transactional operations. This creates a scope/expectation mismatch that may cause downstream agents or users to invoke the skill under the assumption it is read-only, increasing the risk of unauthorized or unintended financial actions if the surrounding platform grants it access to real trading credentials.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file documents trading and order-placement capabilities but does not include clear warnings that commands may lead to real financial loss or place live orders. In a skill ecosystem, omission of such warnings is dangerous because users or calling agents may treat the skill as informational and trigger irreversible market actions without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README prominently advertises an AI agent that can create and execute trading strategies, but it does not provide clear warnings about financial loss, market risk, automated execution risk, or the need for human review. In the context of a trading skill, this omission can mislead users into treating the agent as safe for autonomous financial decision-making, increasing the chance of harmful real-world losses.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill relies on multiple external data sources and required API keys, but the documentation does not clearly warn that user queries may be transmitted to third-party services using configured credentials. This can lead to unintended disclosure of sensitive queries, surprise external API usage, and poor operator understanding of privacy and cost implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User messages, full conversation history, and raw tool results are sent to external LLM and tool providers with no explicit notice or consent in the chat flow. This creates a data exposure risk, especially in a trading context where prompts or tool outputs may contain portfolio details, market positions, API-derived data, or other sensitive financial information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
User-supplied queries are sent to external LLM and tool providers during chat processing without any user-facing notice that prompts and conversation context may leave the local boundary. This is risky because users may provide sensitive financial interests, strategies, or identifiers assuming the interaction is local or limited to the app itself.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The health endpoint reveals whether specific API credentials are configured, which gives unauthenticated callers environmental reconnaissance about the deployment. While it does not disclose the secrets themselves, it can help an attacker profile the service, identify enabled integrations, and target follow-on attacks against available providers or misconfigurations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal