ClawHub

HyperClaw

Security checks across malware telemetry and agentic risk

Overview

HyperClaw appears purpose-built for Hyperliquid trading, but it gives an agent live financial authority with limited safety gates and a network-exposed proxy.

Install only if you intentionally want an agent to operate a Hyperliquid account. Start on testnet, use a separate low-balance API wallet, keep the .env file private, do not point HL_PROXY_URL at untrusted services, run the proxy only on a trusted local network, and manually verify asset, side, size, leverage, collateral, and cancellation effects before any mutating command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tainted flow: 'proxy_url' from os.getenv (line 154, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
return
    try:
        import requests
        requests.post(f"{proxy_url}/cache/clear", json={"user": address}, timeout=2)
    except Exception:
        pass  # Proxy may be down; not critical
Confidence
95% confidence
Finding
requests.post(f"{proxy_url}/cache/clear", json={"user": address}, timeout=2)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The server exposes unauthenticated administrative cache-management functionality via /cache/clear, allowing any network client that can reach the service to evict cache entries for arbitrary users, types, or the entire cache. This is dangerous because it expands the skill beyond its stated trading/proxy purpose into remote administration and enables denial of service, cache poisoning resistance bypass, and operational disruption without authorization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README prominently lists commands such as buy, sell, cancel, cancel-all, close, and modify-order without an explicit warning that these actions can execute against a real Hyperliquid account and affect funds. In a trading skill intended for AI agents, omission of a strong safety notice increases the chance that a user or autonomous agent will invoke destructive commands in a live environment by mistake.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents live trading commands while the setup defaults to mainnet (`HL_TESTNET=false`) and does not give a prominent warning that orders are real and potentially irreversible. In an agent setting, this materially increases the chance of accidental execution of market or leveraged trades with real funds, especially because the skill is user-invocable and includes direct buy, sell, close, leverage, and swap commands.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The cancel-all command performs a destructive trading action immediately, without any confirmation prompt, dry-run mode, or explicit safety gate. In an agentic trading context, a mistaken invocation or prompt-injection-driven action can instantly remove all protective and strategy orders, materially increasing financial risk.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The Grok helper forwards arbitrary user prompts to a third-party API, but the command path does not clearly warn at execution time that the query content will leave the local environment. In an agent skill, users may include trading ideas, account context, or proprietary information, so silent transmission to x.ai creates a real privacy and data-governance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal