ClawHub

Helius x DFlow

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Solana trading-development guide with expected financial and wallet-analysis capabilities, but users should treat its transaction and credential workflows carefully.

Install this only if you intend to build Solana trading or wallet-intelligence applications. Prefer project-scoped installation, verify any external MCP packages before adding them, protect API keys/JWTs/keypair files, and do not let generated code sign transactions, upgrade paid plans, or run trading bots until amounts, tokens, slippage, fees, spending limits, and user approvals are clearly implemented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document mandates `skipPreflight: true` for all Sender transactions and presents it as a requirement without clearly warning that preflight suppression removes a key safety check for malformed, failing, or unintended transactions. In a trading/infrastructure skill, this can materially increase the chance that integrators submit invalid or unsafe transactions blindly, especially if they do not implement robust simulation, confirmation, and retry logic first.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance encourages wallet investigation, funding-source tracing, sybil detection, and risk scoring without any caution about privacy, consent, legal compliance, or potential misuse for deanonymization and profiling. In a blockchain intelligence skill, this omission can normalize intrusive attribution workflows and increase the risk of privacy-invasive or noncompliant use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document provides patterns for automated trading bots and direct signing/submission of Solana transactions without clearly warning that these actions can trigger irreversible financial losses, market exposure, or unintended on-chain execution. In a skill intended to help build trading applications, this omission materially increases the chance that downstream agents or developers will implement unattended execution flows without user consent gates, risk controls, or clear disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal