ClawHub

Antalpha Ai Setup

Security checks across malware telemetry and agentic risk

Overview

This setup skill is coherent, but it gives an AI agent broad wallet and trading capabilities without enough documented safety and credential boundaries.

Install only if you trust Antalpha and can configure your MCP client to require explicit approval before every trade, swap, transfer, leverage change, order, or copy-trading action. Use least-privilege or read-only credentials where available, avoid funded wallets until approval and revocation behavior is clear, and disable tools you do not intend to use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to register an agent and copy an `agent_id` and `api_key` into client configuration, but provides no guidance on secure storage, least-privilege handling, or the fact that these credentials will be transmitted to and used by third-party MCP clients. In the context of a Web3 trading/analytics MCP server with potentially sensitive account activity and trading capabilities, normalizing casual handling of API credentials increases the risk of credential leakage, unauthorized tool use, and downstream account abuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill advertises numerous high-impact tools that can place trades, execute swaps, follow traders, create mining task batches, and request token transfers, but it does not include clear warnings about irreversible financial actions, loss risk, or the need for explicit user confirmation. In an AI-agent setting, presenting action-capable tools without prominent safety guidance increases the chance of accidental or overly autonomous execution of real-world transactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal