ClawHub

Fluora Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it should be reviewed because it creates a crypto wallet, handles private-key material, downloads unpinned code, and changes persistent tool configuration.

Install only if you trust Fluora and are comfortable using a small, dedicated funded wallet controlled by a local private key. Review the cloned fluora-mcp repository before running it, do not run the setup with elevated privileges, back up or inspect mcporter.json first, and keep only minimal funds in the generated wallet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup description does not prominently warn that it will create a wallet containing a private key and modify local configuration files. For a setup skill that handles secrets and persistent system changes, failing to disclose those side effects upfront can lead to unsafe execution by users who would not otherwise consent, increasing the risk of secret exposure, misuse of funds, or unintended environment changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script reads a wallet file that contains private keys without any user-facing disclosure that highly sensitive credentials are being accessed and processed. In a setup wizard that clones and runs third-party code, silent handling of private key material increases the risk of accidental exposure, unsafe logging changes later, or user misunderstanding about the sensitivity of the generated artifacts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The wizard overwrites or creates the mcporter configuration file automatically, adding an executable entry that will later run a locally built script from a freshly cloned repository. In the context of a setup skill that installs and executes remote code, modifying execution configuration without explicit confirmation is risky because it can silently change trusted tool behavior and persist that change beyond the current run.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal