ClawHub

blockbeats

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward BlockBeats crypto news and market-data lookup skill, with the main caution that broad trigger phrases could route some generic news or market requests to BlockBeats.

Install this only if you trust BlockBeats and are comfortable using a BlockBeats API key for outbound requests. Use explicit wording such as 'BlockBeats crypto news' or 'search BlockBeats for...' to avoid accidental provider selection, and monitor API usage or quota if your key has limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases for the market-overview workflow are broad natural-language requests like general market discussion, which can cause unintended activation during ordinary conversation. In an agent setting, over-broad invocation can lead to unexpected external API calls, disclosure of query intent to a third party, and user confusion about why the skill ran.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The capital-flow scenario uses vague phrases such as general discussion of buying activity or trends, which overlap with normal finance conversation and may trigger the skill unintentionally. That creates unnecessary outbound requests and can cause the agent to act on the wrong domain-specific interpretation of the user's message.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The macro-assessment triggers include very general phrases like broad market-timing or macro questions that are common in ordinary discussion. This can misroute user requests into external crypto-data lookups and produce irrelevant or privacy-impacting third-party calls without sufficiently explicit consent.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The keyword-search scenario includes generic phrases like 'find' or '[keyword] news', which are common across many agent tasks and can collide with ordinary search requests. Because the skill then forwards user-supplied terms to a third-party API, accidental invocation can leak user interests or sensitive topics externally.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The newsflash/article intent mapping uses broad user phrases like 'latest news' and 'what's new' without scope constraints, making accidental activation likely in a general-purpose assistant. In practice, this can cause silent routing of normal conversational requests into this skill and unnecessary external requests to the provider.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal