ClawHub

Base Alpha Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Base-chain market scanner that queries public crypto data sources and does not show hidden persistence, account control, trading, or destructive behavior.

Install only if you want an agent to query third-party crypto market-data sites and generate Base-chain alerts. Validate token addresses before use, avoid logged-in browser sessions unless needed, protect any Basescan API key, and verify trading signals independently before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description says to use the skill for 'any on-chain analysis task on Base chain' and includes a long open-ended list of scenarios. This lacks clear trigger boundaries or exclusion conditions, making invocation criteria broader than the skill's specific scanning purpose.

External Transmission

Medium
Category
Data Exfiltration
Content
## Basescan (free tier = rate limited)

Base URL: `https://api.basescan.org/api`

| Module | Action | Key Params |
|--------|--------|------------|
Confidence
50% confidence
Finding
https://api.basescan.org/

External Transmission

Medium
Category
Data Exfiltration
Content
## VIRTUAL Protocol

Official API: `https://api.virtuals.io/api/virtuals`

Key params:
- `filters[status]=DEPLOYED` — live agents only
Confidence
50% confidence
Finding
https://api.virtuals.io/

External Transmission

Medium
Category
Data Exfiltration
Content
from datetime import datetime, timezone

DEXSCREENER_BASE = "https://api.dexscreener.com"
BASESCAN_API = "https://api.basescan.org/api"
GMGN_BASE = "https://gmgn.ai/defi/quotation/v1"

def fetch_json(url, headers=None):
Confidence
60% confidence
Finding
https://api.basescan.org/

External Transmission

Medium
Category
Data Exfiltration
Content
print(f"  → https://basescan.org/token/tokenholderchart/{addr}")
        print()
        # Try the free endpoint
        url = f"https://api.basescan.org/api?module=token&action=tokenholderlist&contractaddress={addr}&page=1&offset=20&apikey=YourApiKeyToken"
        data = fetch_json(url)
        if data.get("status") == "1":
            holders = data.get("result", [])
Confidence
60% confidence
Finding
https://api.basescan.org/

External Transmission

Medium
Category
Data Exfiltration
Content
# Bankr API endpoints
    endpoints = [
        "https://api.bankr.bot/tokens/trending?chain=base&limit=20",
        "https://bankr.fun/api/tokens?chain=base&sort=trending&limit=20",
        "https://api.bankr.fun/v1/tokens/trending?chain=base",
    ]
Confidence
60% confidence
Finding
https://api.bankr.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
endpoints = [
        "https://api.bankr.bot/tokens/trending?chain=base&limit=20",
        "https://bankr.fun/api/tokens?chain=base&sort=trending&limit=20",
        "https://api.bankr.fun/v1/tokens/trending?chain=base",
    ]

    data = {"error": "not tried"}
Confidence
60% confidence
Finding
https://api.bankr.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
print("⚡ VIRTUAL Protocol — AI Agent Ecosystem\n")

    # Virtual Protocol API
    url = "https://api.virtuals.io/api/virtuals?filters[status]=DEPLOYED&sort[0]=createdAt%3Adesc&pagination[page]=1&pagination[pageSize]=20"
    data = fetch_json(url)

    if "error" in data:
Confidence
60% confidence
Finding
https://api.virtuals.io/

External Transmission

Medium
Category
Data Exfiltration
Content
print(f"Virtual API error: {data['error']}")
        # Fallback: DexScreener search for VIRTUAL pairs
        print("Falling back to DexScreener VIRTUAL pairs...\n")
        url2 = "https://api.dexscreener.com/latest/dex/tokens/0x0b3e328455c4059EEb9e3f84b5543F74E24e7E1b"
        data2 = fetch_json(url2)
        pairs = [p for p in data2.get("pairs", []) if p.get("chainId") == "base"]
        print(f"Found {len(pairs)} VIRTUAL pairs on Base:\n")
Confidence
60% confidence
Finding
https://api.dexscreener.com/

External Transmission

Medium
Category
Data Exfiltration
Content
results = []

    for term in ai_terms[:4]:  # Limit API calls
        url = f"https://api.dexscreener.com/latest/dex/search?q={term}"
        data = fetch_json(url)
        pairs = [p for p in data.get("pairs", []) if p.get("chainId") == "base"]
        results.extend(pairs)
Confidence
60% confidence
Finding
https://api.dexscreener.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal