ClawHub

Liberfi Swap

Security checks across malware telemetry and agentic risk

Overview

This is a high-impact crypto swap skill that mostly matches its purpose, but it asks agents to silently install a global CLI and mixes wallet-authorized trading with ambiguous cross-skill actions.

Review carefully before installing. Only use it if you trust LiberFi and are comfortable with wallet-authenticated swaps through its CLI. Do not allow silent installation; install or approve the CLI yourself, prefer a pinned version, verify the active wallet with whoami, and confirm exact token addresses, chain, smallest-unit amount, slippage, fees, and transaction hash before any execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is scoped as a swap/transaction capability, but the cross-skill workflow examples instruct the agent to perform token search, trending-market lookup, and wallet-holdings analysis. This scope expansion increases the attack surface and can cause the agent to invoke unrelated capabilities under the authority of a high-risk transactional skill, making unintended fund-moving workflows easier to trigger.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file explicitly says this skill must not be used for token search, security audit, trending tokens, or wallet holdings, but later examples direct the agent to do exactly those things. Contradictory instructions in a high-risk financial skill undermine policy enforcement and can be exploited to justify out-of-scope actions that gather sensitive wallet data or steer a user into transactions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Including login, verification, and identity commands inside a swap skill broadens it from transaction construction into account/session management. In a fund-moving context, this increases privilege and makes it easier for the skill to bootstrap authenticated state and then perform sensitive actions without a clearly separated trust boundary.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The skill directs the agent to install a global CLI package automatically and without asking the user. Silent installation changes the execution environment, bypasses user consent, and creates a supply-chain risk because a transactional skill could introduce or update software immediately before handling authentication and fund-moving actions.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal