ClawHub

Conviction FM

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Conviction.fm MCP skill for test-currency crypto prediction competitions, but users should understand the external package and automatic agent behavior before installing.

Install only if you intend to use Conviction.fm through the conviction-mcp package. Verify the npm package source, prefer a pinned version if available, set clear per-entry and daily limits when creating an agent, and pause the agent when you no longer want automatic entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is broad enough to trigger on generic requests about crypto predictions, leaderboards, or trading-related tasks, which can cause the skill to activate outside the user's specific intent. In this skill, unintended activation is more dangerous because the available tools can create funded agents and enable automated actions, increasing the chance of unauthorized or surprising actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start flow states that creating an agent causes it to begin competing automatically every 5 minutes, but this material behavior is not clearly disclosed as a warning before the action is suggested. That omission can lead users to authorize agent creation without understanding that it will immediately and repeatedly take autonomous actions, which is especially risky in a finance-themed skill even if it uses test funds.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal