ClawHub

Asset Management

Security checks across malware telemetry and agentic risk

Overview

This crypto portfolio skill is mostly purpose-aligned, but it needs review because it handles sensitive financial records through cloud sync, browser-stored secrets, and an unauthenticated local API with weak disclosure.

Install only if you are comfortable storing crypto holdings and transaction history locally and, if enabled, in your own Cloudflare Worker/KV. Use a strong unique sync token, avoid putting real tokens in source files or shell history, do not leave the local dashboard running, and assume AI prompts, uploaded files, and API keys are sent to the selected AI provider when AI parsing is used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The page collects third-party AI API keys and stores them in browser localStorage, which persists across sessions and is accessible to any script running in the same origin. In a financial-records app, compromise of that origin or injected script would expose reusable credentials that can be abused for unauthorized API usage and billing.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The UI claims the API key 'will not be uploaded to any server,' but the application then uses that key in Authorization/x-api-key headers to contact external AI services. This is a deceptive security claim that can cause users to disclose high-value credentials under false assumptions, increasing the chance of credential misuse and sensitive data leakage.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill metadata presents the tool as a local asset-recording/export assistant, but the code also supports remote cloud synchronization and transmits portfolio data to an external API. This expands the trust boundary and can cause users to expose sensitive financial holdings and transaction history to a remote service they did not reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file starts a local HTTP server that exposes both a browser UI and unauthenticated API endpoints for reading and overwriting the user's crypto portfolio data. Because it binds to the default interface and enables permissive CORS with no authentication or CSRF protection, other local-network hosts or websites visited in the browser may be able to access or modify sensitive asset data.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill instructs the agent to start a local HTTP server and automatically open a browser, expanding from simple recordkeeping into service execution and UI launching. This increases attack surface, may expose sensitive portfolio data over localhost, and performs a side effect that users may not expect from a conversational asset tracker.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to place a bearer token directly into a plaintext local configuration file without any warning about secret handling, rotation, or exposure risks. This increases the chance of accidental disclosure through dotfile backups, screenshots, shell history, support bundles, or source-control commits, especially because the token grants access to the worker API.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The worker hardcodes an authentication token directly in source code, which makes credential leakage likely through source sharing, commits, logs, screenshots, or package distribution. In this skill's context, the backend stores crypto portfolio data, so compromise of the token would allow unauthorized reading and overwriting of sensitive financial records via the exposed API.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
AI provider API keys are persisted in localStorage without a prominent warning about long-term browser exposure. Because localStorage is readable by scripts on the same origin, any XSS, malicious extension, or compromised hosting context could extract those keys and use them against the victim's account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Cloudflare sync token is stored in localStorage, giving any same-origin script or injected code durable access to a credential that can read and write the user's portfolio data. Because this token protects cloud-stored financial records, theft could enable silent exfiltration or tampering with account balances, trades, and history.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to enable cloud synchronization of sensitive crypto portfolio data to Cloudflare KV but does not disclose the privacy and security implications of transmitting holdings, transactions, and account metadata to a third-party remote store. Users may unknowingly expose highly sensitive financial information if the Worker, token, or Cloudflare account is compromised or misconfigured.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The README promotes CSV/Excel export without warning that exported files may contain sensitive financial records such as balances, trades, and account names in plaintext on local disk. Such files are easy to copy, index, sync to consumer cloud drives, or open in unsafe spreadsheet software, increasing accidental disclosure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool uploads full portfolio state to a remote API during normal save operations whenever cloud sync is configured, but there is no explicit user-facing warning or confirmation at the moment sensitive financial data is transmitted. In the context of a portfolio manager, holdings, trades, and finance records are highly sensitive and silent transmission increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup flow stores the cloud token in a local JSON config file under the user's home directory without any warning, permission hardening, or use of an OS secret store. If the local machine is compromised, shared, backed up insecurely, or the file is world-readable, an attacker could recover the token and access or tamper with the user's remote portfolio data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that sensitive financial data is stored locally and can be synchronized to Cloudflare Workers, but it does not warn users about privacy, retention, third-party transmission, or token-handling risks. Because the data concerns crypto holdings and transactions, silent syncing materially raises confidentiality and operational security concerns.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The export commands write detailed asset reports to predictable user-accessible files without warning that highly sensitive financial information will be persisted on disk. Exported CSV/XLSX files are easy to copy, sync, index, or leak through backups and other local processes, increasing the chance of unintended disclosure.

Session Persistence

Medium
Category
Rogue Agent
Content
1. 点击左上角返回,或左侧菜单点 **Workers & Pages**
2. 左侧菜单点击 **KV**
3. 点击 **Create a namespace**
4. 名字输入 `cryptofolio-data`
5. 点击 **Add**
Confidence
76% confidence
Finding
Create a namespace** 4. 名字输入 `cryptofolio-data` 5. 点击 **Add** #### 1.5 绑定 KV 到 Worker 1. 左侧菜单点 **Workers & Pages** 2. 点击你创建的 Worker(`cryptofolio-api`) 3. 点击 **Settings** 标签 4. 往下滚动找到 **Bindings** 区域

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal