ClawHub

Zerion Api

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward Zerion API helper for reading crypto wallet data, with the main caution being privacy around wallet lookups sent to Zerion.

Install if you are comfortable sending wallet addresses, portfolio queries, token/NFT lookups, and related on-chain activity to Zerion. Avoid querying sensitive or personally identifying wallets unless you understand the privacy implications, and use a scoped Zerion API key if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages querying wallet portfolios, transactions, DeFi positions, and NFTs through Zerion's MCP server but does not warn users that wallet addresses and related on-chain activity will be sent to a third-party service. Even though blockchain data is public, aggregating and transmitting addresses to an external API can expose sensitive financial profiling, link identities across chains, and create privacy risks users may not expect from the documentation alone.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to configure and use a remote HTTP MCP server but does not clearly warn that wallet addresses, portfolio queries, and other user-supplied inputs will be transmitted to a third-party service. In a blockchain-analysis context, wallet addresses and query patterns can reveal sensitive financial relationships, holdings, and investigative interests, so lack of disclosure can lead to unintended privacy leakage and compliance issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal