ClawHub

Quant Trader

Security checks across malware telemetry and agentic risk

Overview

This is a coherent crypto trading skill, but it needs Review because it can use exchange API keys for real automated trading while relying on external code that is not included in the package.

Install only after reviewing the external project and dependencies yourself. Use paper trading or testnet first, keep exchange keys withdrawal-disabled and limited to the minimum required permissions, set small trade limits, and require explicit confirmation before any live trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The auto-trigger terms are broad enough to activate the trading skill during general discussion of markets, backtesting, or strategy ideas, even when the user did not intend to invoke a trading-oriented workflow. In the context of a skill that supports paper and live trading, overbroad triggering increases the chance of inappropriate activation, exposure of trading-related prompts, or progression toward sensitive financial actions without clear user intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill introduces API key setup and live trading capability near the installation flow without an immediate, prominent warning that real orders may be placed and exchange accounts put at financial risk. In a crypto trading context, this is dangerous because users may proceed from setup to live mode with insufficient awareness that supplying exchange credentials and disabling paper mode can cause irreversible real-money trades.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal