ClawHub

wallet balance

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but its local gateway can persist, list, modify, and query saved wallet addresses without built-in authentication or per-user isolation.

Review before installing. Use this only for a trusted single-user local setup unless you add authentication, bind the service to localhost, and isolate memory per user/session. Do not expose the gateway publicly as shipped. Be aware that saved wallet addresses persist on disk and balance lookups may send addresses or names to Antalpha MCP and public blockchain/price providers. Never provide seed phrases, private keys, or signing credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill performs network requests and may access environment-backed tooling, but it declares no permissions. That mismatch weakens review and enforcement because operators and policy engines cannot accurately understand or restrict what the skill can do. In this context, the skill sends wallet addresses to local and external services, so undeclared capabilities materially affect privacy and governance.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README explicitly advertises memory-based invocation such as 'check my balance' that can act on previously stored wallet addresses without requiring the user to restate scope. In an agent setting, broad natural-language triggers increase the risk of unintended invocation and silent retrieval of sensitive financial information, especially if conversation context is ambiguous or shared across sessions/users.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage examples include vague phrases like 'What's in my wallet?' and '查我的余额', which do not clearly state whether the agent should use stored addresses, current-session context, or newly provided input. In a skill that supports persistent memory, such ambiguity can cause overbroad access to remembered wallet data and accidental disclosure of balances.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes persistent address memory and exposes memory-management endpoints, but it does not warn users that wallet addresses are personal financial identifiers that may be retained on disk and later queried automatically. This omission can lead to privacy harm, unexpected retention, cross-user leakage on shared deployments, and unintentional exposure of wallet holdings.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The remembered-address trigger is broad enough that ordinary wallet questions without a clear save/lookup intent may cause a memory-based balance query. That can surface previously stored addresses or aggregate holdings when the user may have meant a different address or a general question, creating privacy leakage and unintended data disclosure. The wallet context makes this more sensitive because balances and linked addresses are financial data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages storing wallet addresses in memory but does not clearly disclose the privacy implications, retention behavior, or that future balance requests may aggregate saved addresses. Wallet addresses are persistent financial identifiers, so saving them without meaningful warning can expose user portfolio information across sessions and increase linkage risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends user-derived wallet addresses to external services such as the MCP endpoint and public blockchain/price providers without any in-file consent, notice, or minimization controls. Wallet addresses are sensitive identifiers because they can reveal holdings and transaction history, so undisclosed transmission creates a real privacy risk, especially in an agent setting where users may assume data stays internal.

External Transmission

Medium
Category
Data Exfiltration
Content
When the user clearly wants to save (e.g. "remember", "yes", "记住", "是", "save this address"), call with the **full canonical address** from the query you just ran:

```bash
curl -sS --connect-timeout 5 --max-time 15 -X POST \
  "http://127.0.0.1:3000/agent-skills/v1/memory" \
  -H "Content-Type: application/json" \
  -d '{"add":"{{full canonical address or original input}}"}'
Confidence
93% confidence
Finding
curl -sS --connect-timeout 5 --max-time 15 -X POST \ "http://127.0.0.1:3000/agent-skills/v1/memory" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
curl -sS --connect-timeout 5 --max-time 90 --retry 1 \
  "https://api.antalpha.com/agent-skills/v1/assets?input={{input}}" \
  -H "Accept: application/json"
```
Confidence
88% confidence
Finding
https://api.antalpha.com/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal