ClawHub

Skylens Transaction Analysis

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed blockchain transaction-analysis helper with expected network use and an optional file-save feature that should be used carefully.

Install only if you are comfortable sending transaction hashes, chain names, and addresses to CertiK Skylens. Avoid letting an agent choose arbitrary --OUTPUT paths; save fetched source only into an intended workspace directory and do not target sensitive or existing files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares executable behavior that requires outbound network access and can write files, but these capabilities are not explicitly surfaced as permissions or prominently warned about. In agent environments, hidden or under-declared capabilities reduce informed consent and make it easier for the skill to perform side effects a user may not expect, especially when combined with user-controlled output paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The top-level description says the skill inspects a transaction and returns trace, balance, storage, and nonce changes, but the documented commands also enumerate contract source files, retrieve source code, and optionally save that content to disk. This mismatch is dangerous because routing and trust decisions may be made from the narrower description, while the actual behavior includes data retrieval and file-write side effects beyond passive transaction analysis.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill advertises tx-level investigation features, but the code also exposes source-code retrieval endpoints. This expands the tool’s effective capability beyond the declared manifest scope, which undermines least-privilege expectations and can cause an agent or user to invoke data-access behaviors they did not authorize or anticipate.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The get-source-file path can persist remotely fetched contract source code to a local path via --OUTPUT, introducing filesystem write capability into a nominally read-only analysis skill. Arbitrary file writes create a meaningful integrity risk in agent environments, because an agent could overwrite workspace files, plant misleading artifacts, or interfere with downstream tooling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code writes attacker-controlled remote content to an arbitrary user-supplied filesystem path without restriction. In an agent setting, this exceeds the justified privilege for transaction inspection and can be abused to overwrite local files, drop deceptive content, or tamper with artifacts that other tools may trust.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown advertises `--OUTPUT <file_path>` for saving fetched source to a user-specified path without any guardrails, warnings, or confinement. Arbitrary path writes can overwrite existing files or place untrusted remote content in sensitive locations, turning a read-oriented analysis skill into one with meaningful local side effects.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The write site performs local file output with no inline warning, confirmation, or disclosure even though the skill’s primary purpose appears to be read-only transaction analysis. This increases the chance of surprising side effects and unsafe agent use, especially when remote content is being saved locally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal