ClawHub

Meme Risk Radar

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed read-only meme-token risk scanner, but scan and audit commands can make paid SkillPay calls and Binance Web3 network requests.

Install only if you are comfortable with scan/audit commands contacting Binance Web3 and SkillPay. Use noop billing for testing, verify the actual SkillPay env vars required by the runtime, and set billing URL/API-key variables only in a trusted environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation describes use of environment variables and outbound network access for Binance Web3 and SkillPay, but no explicit permissions are declared. This creates a transparency and policy-enforcement gap: a host may execute the skill with broader capabilities than reviewers or users expect, increasing the chance of unintended data exposure, unauthorized external calls, or billing-related abuse if the runtime does not constrain undeclared capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The scan and audit commands trigger external network actions, including paid billing via `maybe_bill()` and token-analysis API calls, without any explicit runtime notice, confirmation, or dry-run path before those actions occur. In a skill context, this can cause unexpected charges and silent data transmission to third-party services, which is a real trust and consent issue even if it is not direct code execution or data exfiltration of secrets.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal