ClawHub

Indigo Loan

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Indigo Protocol CDP helper that can prepare risky DeFi transactions, but it does not show hidden signing, credential access, persistence, or exfiltration.

Install this only if you intend to manage Indigo Protocol CDPs and you trust the external Indigo MCP server. Treat every generated transaction as financially consequential: verify the CDP reference, asset, amount, fees, leverage, collateral ratio, liquidation risk, and wallet transaction details before signing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill exposes multiple high-impact financial actions such as opening, leveraging, liquidating, freezing, and withdrawing from CDPs without any embedded warning about liquidation risk, irreversible on-chain effects, or the possibility of financial loss. In an agent setting, this omission increases the chance that a user invokes destructive or risky actions without informed consent, especially because blockchain transactions may be costly and difficult or impossible to reverse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation exposes numerous high-impact financial write operations such as opening, leveraging, liquidating, redeeming, freezing, and closing CDPs, but does not warn users that these actions affect real on-chain positions, may incur losses, and become irreversible once signed and submitted. In a DeFi/CDP context, omission of transaction-risk guidance materially increases the chance that users or downstream agents trigger destructive or loss-inducing actions without understanding liquidation, leverage, or permanent fund movement consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This is a real safety issue: the skill describes opening, withdrawing from, and closing CDPs without warning users about liquidation risk, minimum collateralization constraints, or the need to burn/repay outstanding iAssets before collateral can be safely reclaimed. In a DeFi borrowing context, omission of these warnings can mislead users into taking actions that trigger liquidation, failed transactions, or unexpected loss of funds.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill facilitates opening leveraged on-chain debt positions but does not prominently warn users about liquidation, amplified losses, or the possibility of losing collateral. In a financial skill, omission of these risk disclosures can cause users to authorize dangerous transactions without understanding that leverage materially increases downside and liquidation risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example prompts directly encourage users to open leveraged positions without warning that these actions affect real on-chain funds and should be carefully reviewed before signing. Because the workflow culminates in an unsigned transaction, users may be socially steered toward risky authorization without adequate friction or informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill provides operational guidance for liquidation, freezing, and redemption of CDPs and shows a direct liquidation workflow, but it does not prominently warn users about irreversible financial consequences such as loss of collateral, repayment obligations, bonus mechanics, or the risk of acting on the wrong position. In a DeFi context, these are high-stakes actions, and presenting them as routine actions without explicit consequence and authorization checks increases the chance of accidental or socially engineered asset loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The mint workflow states that minting 'increases debt ratio' and suggests checking CDP health first, but it does not provide an explicit user-facing warning that minting more debt can materially increase liquidation risk if market conditions move. In a DeFi CDP context, omission of this warning can mislead users into signing transactions that worsen solvency and lead to liquidation losses.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The burn and full-repayment workflows describe debt reduction benefits but omit a clear warning that the burn consumes iAssets from the user's wallet, potentially using the entire available balance when repaying all debt. This can cause unintended asset depletion or prevent the user from understanding the tradeoff before signing the transaction.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal