ClawHub

Web3 Daily Mcp

Security checks across malware telemetry and agentic risk

Overview

This MCP skill does what it says: it fetches Web3 digests and, when requested, sends wallet addresses to a disclosed backend for personalized analysis.

Install only if you are comfortable with an npm-based MCP server calling the J4Y backend. Use the public digest and market tools if you do not want to share a wallet address; use personalized digest or wallet profile only for addresses you are comfortable having profiled and cached by the service for 24 hours.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The tool sends a user-supplied wallet address to a third-party backend to generate a personalized digest, but this code provides no explicit consent prompt, privacy notice, or indication that the address will leave the local agent context. Wallet addresses are pseudonymous rather than secret, but they are linkable to financial activity and can reveal holdings, behavior, and identity correlations when processed by a remote service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This profile tool transmits the wallet address and profiling options, including force_update, to a remote API that performs behavioral analysis. In the context of a wallet profiling feature, the data is especially privacy-sensitive because it is used to infer investor profile, transaction patterns, and interests, increasing the risk of deanonymization and unwanted profiling if users are not clearly warned.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal