ClawHub

ZKE Exchange Trading Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real-money ZKE trading plugin with disclosed trading and withdrawal powers, but it also enables high-impact actions too freely and keeps under-disclosed local logs of sensitive tool data.

Install only if you intentionally want an agent to control a live ZKE account. Use API keys with withdrawals disabled, IP allowlisting, and the narrowest trade permissions possible; avoid storing large balances under keys available to the plugin. Treat ~/.zke-trading/openclaw-plugin.log as sensitive because it may contain account activity, order details, amounts, and withdrawal addresses. For safer use, require manual confirmation outside the agent before any order, transfer, withdrawal, leverage change, or cancel-all action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The server exposes a live withdrawal capability that can move funds to arbitrary external addresses, but the skill metadata only describes trading, asset management, and market data access. This is dangerous because an agent or user may reasonably assume the skill cannot perform irreversible off-platform fund transfers, creating a severe scope-mismatch and consent failure for a high-impact financial action.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The plugin creates a persistent log file under the user's home directory even though the skill description only covers trading and market functions, not local data retention. In a trading context, any extra storage of operational metadata expands the attack surface and can expose account activity, host details, and timing information to other local users or malware.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The wrapper logs full tool parameters and full results verbatim to disk for every tool invocation. Because these tools handle trading, wallet, margin, and futures operations, the logged data may include balances, positions, order details, addresses, and other sensitive financial information, creating undisclosed retention and possible local exfiltration risk.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The comment claims that removing the dangerous-property mapping ensures fully silent execution, but the code still performs persistent logging of inputs and outputs. This mismatch is security-relevant because it can mislead reviewers and users about actual behavior, reducing transparency around sensitive data handling.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This file exposes a direct withdrawal primitive that can move funds off-platform, which is materially more dangerous than ordinary spot/futures trading or internal asset management. In an agentic setting, a withdrawal endpoint enables irreversible exfiltration of user assets if the agent is prompted, misused, or compromised, and the manifest description does not clearly justify or constrain that capability.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The 'Magic Prompts' are broad and action-oriented, including live trading and fund transfers, but they provide no trigger boundaries, confirmation requirements, or exclusions for when the skill should refuse or seek extra verification. In a financial-trading context, overly broad invocation guidance can cause accidental activation or unsafe execution of sensitive operations from natural-language requests.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill advertises placing orders and transferring assets with example prompts, but does not present a prominent user-facing warning that these are real-money, irreversible, or loss-bearing actions. In a trading skill, this omission is especially dangerous because users may treat examples as harmless demos and unintentionally execute real trades or move funds.

Missing User Warnings

High
Confidence
94% confidence
Finding
The create-order and cancel-order flows invoke live trading actions immediately from command-line arguments with no confirmation, preview, dry-run default, or secondary safety check. In an agent skill context, this is dangerous because a mistaken prompt interpretation, parameter mix-up, or malicious indirect instruction can place or cancel real orders and cause direct financial loss.

Missing User Warnings

High
Confidence
97% confidence
Finding
Transfer and withdraw commands can move assets between accounts or off-platform using only positional arguments, with no confirmation step, destination verification workflow, or amount sanity checks visible in this file. In a trading agent environment this is especially dangerous because a single bad instruction or parameter injection could irreversibly move funds to the wrong place or enable theft if the skill is misused.

Missing User Warnings

High
Confidence
95% confidence
Finding
Margin and futures commands perform live order placement, cancellation, leverage changes, margin-mode changes, and position-margin edits without explicit warning or confirmation. Because these actions can amplify exposure and liquidation risk, the lack of interaction safeguards is materially dangerous in an autonomous or semi-autonomous agent setting.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The code automatically reads exchange API credentials from environment variables and initializes authenticated clients without any user-facing disclosure. In a skill ecosystem, this can surprise users or orchestrators about the level of account access being activated, increasing the chance of unintended privileged operations with live funds.

Missing User Warnings

High
Confidence
97% confidence
Finding
The spot order creation tool places live orders directly with no built-in confirmation, simulation mode, or guardrails. This is dangerous because an LLM-driven agent can misinterpret intent, ticker, side, price, or size and immediately execute irreversible market activity on a funded account.

Missing User Warnings

Critical
Confidence
99% confidence
Finding
The withdrawal tool can send assets to an external address with no in-code confirmation or additional safety controls. Because withdrawals are typically irreversible and move funds off-platform, any prompt-injection, tool misuse, or parameter confusion could directly result in permanent asset loss.

Missing User Warnings

High
Confidence
95% confidence
Finding
The margin and futures trading tools execute leveraged, account-changing actions without built-in warnings or confirmation. These operations can amplify losses, change liquidation risk, and alter account configuration, making autonomous or mistaken invocation particularly dangerous in this trading skill context.

Missing User Warnings

High
Confidence
99% confidence
Finding
Sensitive tool parameters and results are written directly to a local log file without disclosure, redaction, or consent. In this skill's context, those values can reveal financial positions, transactions, wallet details, and possibly API-related operational data, making the issue more dangerous than ordinary application logging.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code comment indicates an intent for silent operation while the plugin performs consequential actions and logging without explicit user-facing transparency. For a trading plugin, silent behavior around execution and data handling undermines informed consent and can conceal risky side effects from the operator.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The comment explicitly normalizes 'fully silent execution' in a plugin that handles financially sensitive operations and logs tool data. Even though the comment itself does not execute, it signals an implementation posture that deprioritizes transparency and increases the likelihood of hidden or undisclosed user-impacting behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The child process inherits the full parent environment via `env: { ...process.env }`, which can expose secrets such as API keys, tokens, cloud credentials, or CI secrets to `main.py` and any code it imports. In a trading skill context, this is more dangerous because the Python side may handle exchange credentials and execute sensitive financial actions, so unnecessary environment exposure broadens the blast radius if the Python runtime, dependencies, or trading home are compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This file exposes direct futures order placement capabilities, including market and limit orders, without any built-in confirmation, risk acknowledgement, or safety interlock at the tool boundary. In an agent-driven trading skill, a prompt-injected or mistaken model action could immediately open or close leveraged positions and cause real financial loss, so the lack of a confirmation gate is a real security-relevant weakness.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Conditional order creation is also a state-changing trading action that can create latent exposure without an immediate visible effect, making accidental or manipulated invocation especially dangerous. Because this skill is specifically for exchange trading, these calls can schedule future execution of leveraged trades with no user-facing confirmation or safeguard, which materially increases abuse risk in an LLM agent context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Order cancellation changes trading state and can remove protective or exit orders, potentially increasing exposure or leaving positions unmanaged. The especially risky case here is cancel-all behavior, which can wipe out all open orders without any confirmation step, enabling significant operational and financial harm if invoked by mistake or via prompt manipulation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This file exposes direct trading-control actions for futures accounts, including changing position mode, margin mode, position margin, and leverage, and invokes them immediately through subprocess calls with no visible confirmation, policy gating, or safety interlock. In a trading skill, these are high-risk state-changing operations: if triggered by prompt injection, agent misunderstanding, or user ambiguity, they can rapidly alter liquidation risk and account exposure and cause real financial loss.

Missing User Warnings

High
Confidence
93% confidence
Finding
This tool exposes direct margin order creation functionality with no visible confirmation, risk acknowledgment, policy gate, or secondary authorization before executing a real trading action. In an agentic context, especially for leveraged/margin trading, a prompt injection, model mistake, or misunderstood user request could immediately place financially risky orders and cause loss.

Missing User Warnings

High
Confidence
95% confidence
Finding
This tool performs live order cancellation, a destructive trading operation, without any visible confirmation or intent verification. In a trading agent, accidental or induced cancellations can disrupt execution strategies, interfere with risk management, and cause direct financial harm if protective or time-sensitive orders are removed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This tool exposes direct spot order creation as a callable action with no visible confirmation, risk acknowledgment, or secondary authorization in this file. In an agent setting, prompt injection, model error, or ambiguous user input could cause unintended live trades, leading to immediate financial loss.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal