ClawHub

Api3 Feed Manager

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent on-chain feed-management purpose, but it needs review because it can spend funds and includes unsafe private-key command-line guidance.

Review before installing. Use this only when you intend an agent to inspect and potentially fund Api3 feeds. Prefer dry-run and browser or wallet-based signing paths, avoid passing private keys as command-line arguments, and require explicit approval before any transaction that spends funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly describes network-dependent discovery, readiness inspection, and execution planning, but it does not declare corresponding permissions. That mismatch weakens the platform's trust and review model because operators may believe the skill is more constrained than it really is, increasing the chance of unintended external calls or data exfiltration through undeclared network use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README includes a signer-backed deployment example that passes a raw private key on the command line without any adjacent warning about secret handling, shell history exposure, process-list leakage, or irreversible on-chain effects. In a skill intended for agent use, examples strongly influence operator behavior, so this can normalize unsafe credential practices and lead to accidental key compromise or unintended funded transactions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal