ClawHub

Dappier

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Dappier API integration that sends user-selected queries, including optional home addresses for solar analysis, to Dappier using a user-provided API key.

Install only if you are comfortable sending chosen prompts, financial/news/research queries, and any submitted solar-analysis address to Dappier under your API key. Do not submit secrets, regulated data, or someone else’s home address unless you have a reason and permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script performs address-specific solar and roof analysis, which is materially different from the skill's declared purpose of web search and premium media data access. This scope mismatch is dangerous because it can cause users or reviewers to authorize a skill under false assumptions while it processes sensitive location data for an unrelated use case.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script solicits a residential home address and transmits it for property analysis even though the stated skill purpose does not justify collecting precise residential location data. Residential addresses are sensitive personal data, and unjustified collection increases privacy risk and the chance of misuse or overcollection.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README instructs users to send free-form queries, financial prompts, research topics, and even a street address to a third-party API, but it does not warn that this data leaves the local environment or may contain sensitive personal or business information. In an agent-skill context, this omission increases the risk that operators or downstream users unknowingly submit personal data, location data, or confidential queries to an external service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs users to submit a residential home address to the Stellar AI tool but does not warn that this is sensitive personal data being sent to a third-party service. This creates a privacy risk because users or downstream agents may disclose precise location information without informed consent, and home addresses can enable profiling, occupancy inference, or other secondary misuse if retained, logged, or exposed by the service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script sends the user's raw query to Dappier's external API without any notice, consent flow, or data minimization. In an agent/skill context, users may provide sensitive information in prompts, so silent transmission to a third party creates a real privacy and compliance risk even if the behavior is functionally required for web search.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends the user-supplied address to an external API without any disclosure in the script output or usage text that third-party processing will occur. This is dangerous because users may reveal precise home addresses without understanding they are being transmitted off-system to a remote service, creating privacy and compliance concerns.

External Transmission

Medium
Category
Data Exfiltration
Content
const dataModelId = "dm_01j0pb465keqmatq9k83dthx34";

const resp = await fetch(
  `https://api.dappier.com/app/v2/search?data_model_id=${dataModelId}`,
  {
    method: "POST",
    headers: {
Confidence
88% confidence
Finding
https://api.dappier.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal