ClawHub

coin-crypto-research-using-cmc-cli

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward CoinMarketCap research workflow that uses a declared CMC API key and external CLI for its stated crypto-analysis purpose.

Install only if you are comfortable giving the agent access to CMC_API_KEY and allowing it to make CoinMarketCap CLI requests for the coins you ask about. Use a quota-limited API key where possible, verify the cmc CLI source you install, and treat generated reports as informational rather than financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger examples are broad enough that ordinary requests like 'tell me about ETH' or 'what's happening with X' could invoke this skill unexpectedly. Because the skill requires an external CLI and uses a privileged API key to query a third-party service, accidental invocation can cause unnecessary external data disclosure about user queries, unintended API consumption, and surprising tool use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown-facing skill content explains prerequisites but does not clearly warn that using the skill sends user-supplied coin queries to an external CoinMarketCap service via the `cmc` CLI using `CMC_API_KEY`. This reduces transparency and informed consent, and in ambiguous or accidental invocations it can expose user interests or research targets to a third party while consuming a secret-backed external capability.

VirusTotal

38/38 vendors flagged this skill as clean.

View on VirusTotal