ClawHub

Subscan API Skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Subscan API helper, but it needs review because it stores an API key locally and its helper can send that key to any URL if misused.

Install only if you are comfortable giving the agent a Subscan API key and storing it locally in plaintext. Prefer a limited or disposable key, rotate or delete it when done, and avoid using the helper with any URL except https://<network>.api.subscan.io. The publisher should add host validation and safer key storage before broad use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill directs the agent to read local reference files, write a persistent API key to the user's home directory, and make outbound network requests, yet it declares no permissions. This creates a transparency and governance gap: the agent can handle credentials and perform networked actions without explicit capability disclosure, increasing the risk of unintended execution and reducing a user's ability to make informed trust decisions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The `call` command accepts an arbitrary `--url` and then sends a POST request with the Subscan API key in the `X-API-Key` header to that destination. This enables credential exfiltration and SSRF-like misuse if a user, wrapper, or upstream agent passes an attacker-controlled URL instead of an official Subscan endpoint.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation text is broad enough to trigger on many generic blockchain questions, causing the skill to engage and potentially perform API-key checks, file access, or network calls when the user may only want general information. In this context, overbroad triggering is more dangerous because the skill is not purely informational; it can store credentials and initiate external requests.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to save a user-supplied API key to ~/.config/subscan-api-skill/key without first clearly warning that the credential will be stored persistently on disk. This can surprise users, lead to long-lived credential retention, and increase exposure if the local environment is shared, backed up, or otherwise compromised.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The routing table explicitly uses case-insensitive partial-match triggers and includes many generic terms, which can cause the wrong route to activate from ordinary user phrasing rather than clear API intent. In a skill that auto-triggers and then selects endpoints automatically, this can lead to unintended API calls, incorrect blockchain lookups, and routing confusion that an attacker or ambiguous prompt could exploit.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The search route uses extremely common verbs like "find," "lookup," "query," and "search" under partial-match semantics, making accidental activation highly likely in normal conversation. Because this skill is designed to trigger immediately for Subscan-related requests, these broad terms materially increase the chance of misrouting user intent into the generic search endpoint or overriding more appropriate routes.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Across the file, several triggers are broad everyday words such as "address," "hash," "call," "log," "find," and "query," and the comments state that partial matching is used before a full swagger parse. This creates a systemic intent-confusion flaw where unrelated or underspecified input can map to blockchain endpoints prematurely, increasing the chance of incorrect data access patterns and unsafe automation behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill stores the API key in a predictable file under `~/.config/subscan-api-skill/key` without setting restrictive permissions or warning the user about local plaintext credential storage. On multi-user systems or misconfigured environments, other local processes or users may be able to read the key, leading to credential compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The network helper blindly transmits both the request body and API key to whatever URL it is given, with no trust validation or explicit safety interlock. In the context of an agent skill that may be invoked automatically to query blockchain data, this increases the chance that secrets and sensitive request data are sent to attacker-controlled infrastructure.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Very broad routing synonyms such as generic terms around 'now' and 'timestamp' increase the chance the agent will invoke this skill when the user did not intend an on-chain/Subscan action. In an auto-triggering skill, ambiguous routing can cause unintended external requests, data disclosure to third-party services, and incorrect tool selection that bypasses user expectations.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Generic synonyms like 'supported', 'open', and 'currency' are highly ambiguous and can match many unrelated user requests, causing accidental invocation of this skill and unintended API calls. Because the skill description says it should trigger immediately, this ambiguity materially raises the risk of misrouting and unnecessary disclosure of user queries to the external API provider.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Broad price-routing terms like 'price', 'rate', and 'valuation' can incorrectly capture general financial or non-blockchain requests, leading the agent to invoke the wrong tool. In this skill's context, automatic endpoint selection from local swagger magnifies the problem because a loosely matched prompt may be turned directly into an external query without adequate user confirmation.

Vague Triggers

Medium
Confidence
96% confidence
Finding
Using generic routing terms such as 'user' and 'address' for account endpoints is unsafe because they are common across many unrelated tasks and can spuriously activate wallet/account lookups. In a blockchain query assistant that auto-triggers and sends requests to a third-party API, this increases the likelihood of unintended account queries and external transmission of potentially sensitive identifiers.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Very generic synonyms such as "user," "address," and especially "scan" can cause the skill to trigger on many unrelated requests, leading to unintended API calls and the wrong tool being invoked. In an agent environment, over-broad routing is dangerous because it can divert user queries into this skill unexpectedly, increasing the chance of data leakage, confusing outputs, or misuse of external query capabilities beyond user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Phrase fragments like "more," "information," and "about" are so generic that they make the governance description endpoint match a wide range of unrelated prompts. Because this skill is configured to trigger automatically, ambiguous routing here increases the risk of unintended invocation and silent expansion from on-chain lookup into off-chain commentary retrieval.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal