ClawHub

money-toolkit

Security checks across malware telemetry and agentic risk

Overview

This crypto/finance helper is purpose-aligned and does not show credential theft, persistence, trading authority, or destructive behavior, though users should treat its market data and financial suggestions cautiously.

Install only if you want a crypto/DeFi finance assistant that contacts public market and blockchain endpoints. Do not provide wallet seed phrases, private keys, exchange credentials, or treat APY/arbitrage output as investment advice; verify data independently before acting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares network-dependent prerequisites and scripts that aggregate DeFi yields, airdrops, and pricing data, but no explicit permissions are declared. This creates a transparency and policy-enforcement gap: a host may invoke the skill without clearly signaling that external network access is required, increasing the risk of unexpected outbound requests, data exfiltration, or supply-chain exposure through remote APIs.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases include very broad financial terms such as '赚钱', '收益', '理财', '省钱', and '返利', which are common in benign everyday conversation. Overbroad activation can cause the skill to engage unexpectedly in unrelated contexts, potentially pulling in networked behavior or financially sensitive guidance when the user did not explicitly request this tool.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are vague and broad, such as any inquiry about making money, finance, arbitrage, or finding high-yield DeFi projects. Ambiguous boundaries increase the chance of accidental activation and inappropriate use in sensitive financial discussions, which is more concerning here because the skill advertises network-backed market scanning and opportunity monitoring.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal