ClawHub

CoinFound-Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent read-oriented CoinFound RWA data helper; its network reads are expected, and the optional snapshot-writing probe path is disclosed enough to treat as guidance rather than a Review hold.

Installers should understand that this is not an offline-only reference bundle: normal use makes GET requests to CoinFound's API. Avoid running the probe script with --write-snapshot unless you intentionally want to refresh local schema snapshots and retain small excerpts of live API responses.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares itself as read-only and does not declare permissions, yet its documented behavior and bundled resources imply filesystem access and network operations. This creates a transparency and policy-enforcement gap: a host may approve the skill under a low-risk assumption while it can still read local files, write artifacts, and reach external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose says the skill is self-contained and read-only, but the analyzed behavior includes writing catalog/schema files, live schema probing, and discovery queries against external endpoints. This mismatch is dangerous because operators and downstream agents may trust the skill with broader autonomy than intended, leading to unauthorized network access, persistence of data to disk, and execution of side effects under a benign-looking label.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The module is described as a read-only data skill, but `probe_endpoint_schema` can perform live endpoint probes and, when `write_snapshot_file=True`, persist newly generated schema snapshots to disk. That behavior expands the skill from passive reading into local state mutation and can capture live response-derived content, creating a mismatch between the declared trust boundary and actual capability.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code path that writes snapshot files is not necessary for a strictly read-only consumer skill and introduces filesystem side effects. Even if intended for schema maintenance, embedding this capability in the skill increases attack surface and can surprise operators who expect no local writes from a read-only integration.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When snapshot writing is enabled, the code stores a `sample_response_excerpt` derived from live API data without any disclosure or filtering in this module. If upstream responses contain unexpected sensitive, proprietary, or user-linked fields, that data could be persisted locally and retained beyond the original request lifecycle.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal