ClawHub

Crypto Tracker Cn

Security checks across malware telemetry and agentic risk

Overview

The main crypto tracker is mostly understandable, but the package also includes an executable personal-finance tracker that stores local financial history and does not match the advertised crypto-market purpose.

Review carefully before installing. Use it only if you are comfortable with local storage of portfolio, alert, and possible transaction-history data, and verify which executable is actually invoked; if scripts/script.sh is exposed, it is a personal-finance tracker rather than the advertised crypto market tracker.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill metadata declares no permissions, yet static analysis detected capabilities for environment access, file writing, network access, and shell execution. That combination materially expands the attack surface because users and hosting platforms cannot accurately assess what the skill may do, and a crypto-themed skill is a plausible lure for data exfiltration or command execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose is limited to crypto market tracking, but the analyzed behavior reportedly includes personal finance transaction tracking, budgeting, export, history, and forecasting. This mismatch is dangerous because users may expose sensitive financial data to a skill they reasonably believe is only querying public crypto market APIs, creating risk of privacy violations, undisclosed data collection, or abuse of broader capabilities.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The script persists sensitive financial preference data under ~/.crypto-tracker without any notice, permission check, file mode hardening, or data minimization. Even though the data stays local, storing holdings and buy prices can expose private financial information to other local processes, shared accounts, backups, or endpoint compromise.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The alert subsystem writes persistent watch conditions to disk, creating undisclosed local monitoring state. While not inherently malicious, it records user trading interests and behavior patterns that may be sensitive and can be exposed through local access, backups, or multi-user environments.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The advertised purpose of the skill is cryptocurrency market tracking, but the implemented commands operate as a personal finance and transaction ledger. This mismatch is dangerous because users and calling agents may grant trust, inputs, or permissions based on the stated crypto-tracker purpose while the script instead records personal financial activity to local files, creating a deceptive capability gap and unexpected data handling.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The inline documentation and naming present the tool as a crypto tracker, while the actual help and command set describe budgeting and transaction management. In an agent ecosystem this can mislead users, reviewers, and orchestration logic about what the tool really does, increasing the chance of inappropriate invocation and inadvertent disclosure of sensitive financial information.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file content materially diverges from the declared skill purpose: instead of real-time crypto market tracking, it provides prescriptive investment and trading strategies. This mismatch can mislead downstream users, routing, and safety expectations, causing the skill to be invoked in contexts where users expect neutral market data but receive actionable financial guidance with real-world loss potential.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script logs user-supplied transaction details to a persistent local history file without clear consent, warning, retention policy, or access controls. Because the skill context involves financial data, even simple descriptions can contain sensitive personal spending or asset information, making silent persistence a privacy and confidentiality risk.

External Transmission

Medium
Category
Data Exfiltration
Content
coins = list(set(p["coin"].lower() for p in portfolio))
    ids = ",".join(coins)
    try:
        url = "https://api.coingecko.com/api/v3/simple/price?ids={}&vs_currencies=usd".format(ids)
        data = json.loads(urlopen(url).read().decode())
    except:
        data = {}
Confidence
74% confidence
Finding
https://api.coingecko.com/

External Transmission

Medium
Category
Data Exfiltration
Content
coins = list(set(a["coin"].lower() for a in alerts))
    ids = ",".join(coins)
    try:
        url = "https://api.coingecko.com/api/v3/simple/price?ids={}&vs_currencies=usd".format(ids)
        data = json.loads(urlopen(url).read().decode())
    except:
        print("API error")
Confidence
71% confidence
Finding
https://api.coingecko.com/

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal