whitebit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WhiteBIT trading education and API-planning skill that uses documentation lookup and does not include live trade execution by itself.

Install this as a training and request-planning aid, not a trading bot. Keep WhiteBIT API keys only in a trusted external executor, require human confirmation before any live order outside this skill, and review files before using ClawHub publish or sync commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The default prompt is broad enough to trigger this skill for general WhiteBIT-related requests, including planning and API-validation tasks that may not require this specific skill. Because the skill also permits implicit invocation and connects to an external MCP documentation source, unintended activation could expose users to unnecessary tool use or cause the agent to over-assume authority in trading-related workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal