ClawHub

cryptofolio

Security checks across malware telemetry and agentic risk

Overview

CryptoFolio appears to be a real crypto portfolio tool, but it handles sensitive financial data with under-scoped local server, cloud sync, and AI-provider data flows that users should review carefully before installing.

Install only if you are comfortable managing sensitive crypto portfolio data in this tool. Use local-only mode unless you need sync, use a strong unique Cloudflare token, avoid committing or sharing config files, stop the local visualization server after use, and assume AI parsing sends your prompts, uploaded files, and API key directly to the selected AI provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill description suggests a local conversational portfolio tracker with CSV/Excel support, but the code adds remote Cloudflare synchronization that can read and write the full asset dataset. In a financial asset manager, undisclosed remote storage materially changes the trust and data exposure model, especially because balances, trades, and notes are sensitive financial data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The application asks users to enter third-party AI API keys and then sends portfolio text and optionally uploaded screenshots/PDFs to external AI providers. In a crypto portfolio context, this can expose sensitive financial records and credentials to outside services, while normalizing users pasting powerful secrets into a browser app.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The UI states that the API key 'will not be uploaded to any server,' but the code immediately uses that key in Authorization headers to contact external AI endpoints. This is a materially misleading security claim that may cause users to disclose credentials under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata describes a local portfolio recording/export assistant, but the code includes full remote synchronization behavior. This scope mismatch is security-relevant because users may reasonably expect data to remain local while the tool can transmit sensitive financial holdings to external infrastructure.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code sends full portfolio data to a remote API endpoint, including accounts, positions, trades, finance, and transfers. In the context of an asset-management skill presented as local/export-oriented, this is dangerous because it can exfiltrate highly sensitive financial data to an arbitrary configured server with limited transparency or trust guarantees.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This file exposes a local HTTP server with readable and writable API endpoints for portfolio data, which is a materially broader capability than a purely conversational asset assistant. Expanding the attack surface to a browser-accessible local service increases the chance of unintended access, especially when combined with permissive cross-origin policy and no authentication.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The server sets `Access-Control-Allow-Origin: *` for a local API that serves and overwrites sensitive crypto portfolio data. A malicious website visited by the user could issue cross-origin requests to the local service and read or modify holdings data, making this especially risky for a crypto-focused application where data integrity and privacy matter.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages users to store sensitive financial portfolio data in a self-deployed Cloudflare Worker and KV backend, but it does not clearly warn about the confidentiality, integrity, and access-control risks of exposing transaction history and holdings to a remote service. Because this skill handles crypto asset data, users may underestimate the sensitivity of balances, addresses, transfers, and trading history, increasing the chance of insecure deployment or accidental exposure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill stores sensitive financial data locally and offers cloud sync, but it does not clearly warn users about privacy risks, remote transmission, or the sensitivity of exchange/wallet/account metadata. For a crypto portfolio tool, silent or poorly disclosed data movement can expose highly sensitive asset information and tokens.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README tells users to place a bearer token directly into a local JSON config file, but provides no guidance on secure storage, file permissions, rotation, or avoiding accidental commits. This increases the chance of credential leakage through dotfile syncing, backups, screenshots, shell history, or source control, which could allow unauthorized access to the Worker API and exposed portfolio data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Storing AI API keys and cloud sync tokens in localStorage exposes long-lived secrets to any script executing in the same origin, browser extensions, shared-device access, or future XSS. For a finance-related app handling cloud sync and AI credentials, persistent client-side secret storage raises the blast radius of any compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The app lets users upload screenshots and PDFs and transmits them to external AI providers, but the upload/send area does not clearly disclose that those files leave the local app. Because screenshots may contain balances, account identifiers, and transaction details, lack of just-in-time disclosure can lead to unintended data exfiltration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool uploads sensitive financial portfolio data without an explicit user-facing warning at the point of transmission. For a crypto asset manager, holdings, trades, and account structure are highly sensitive, so silent or insufficiently disclosed transmission materially increases privacy and security risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup flow stores the cloud sync token in a local config file without warning the user that credentials are being written to disk. If the file permissions are weak, the machine is shared, or backups/logging expose the home directory contents, the token could be recovered and used to access or overwrite remote portfolio data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `saveData` path overwrites the local portfolio file directly, and the POST handler accepts arbitrary JSON without authentication, authorization, schema validation, or user confirmation. In practice, any process or web page able to reach the local server could replace or corrupt the user's crypto records, causing loss of integrity and possible privacy exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal