ClawHub

hyperbot-quote

Security checks across malware telemetry and agentic risk

Overview

This is a read-only crypto analytics skill that uses Hyperbot’s remote MCP service; its main risks are privacy and financial-decision caution, not hidden or destructive behavior.

Install only if you are comfortable sending wallet addresses, address batches, session IDs, and trading-analysis queries to Hyperbot’s remote service. Avoid submitting sensitive client, proprietary, or regulated address lists unless you trust the provider’s data handling. Treat strategy suggestions, trader scores, and market predictions as informational research, not financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill documents analytics over specific wallet addresses, trade history, position history, and batch queries for up to 50 addresses without any privacy, consent, retention, or acceptable-use warning. Even if blockchain addresses are publicly observable, aggregating and operationalizing them into trader profiling materially increases surveillance and misuse risk, especially when combined with prompts that score traders and recommend copy-trading actions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
该技能支持按单地址和最多 50 个地址批量查询交易历史、统计、仓位和收益等数据,可用于构建详细的链上/交易行为画像,但文档未提醒用户这类分析可能涉及隐私、去匿名化和监控风险。即便数据部分来自公开链上信息,将其集中检索、聚合和排名会显著提升对个人或机构交易行为的可观察性。

Missing User Warnings

Medium
Confidence
90% confidence
Finding
文档在开头直接给出远程 MCP Server URL 和通过 SSE 获取 sessionId 的方式,但未明确告知用户:后续工具参数、钱包地址、查询条件以及分析数据都会被发送到第三方网络服务。这会导致使用者在不充分知情的情况下外传敏感业务上下文、地址列表或交易研究数据。

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file explicitly promotes prompts for cryptocurrency trading analysis, strategy recommendations, whale tracking, and trader evaluation, but it provides no caution that outputs may be inaccurate, stale, incomplete, or unsuitable as financial advice. In a trading context, users may act on these recommendations and incur financial losses, especially because the examples and best practices encourage decision-making based on model-generated analysis.

Vague Triggers

Medium
Confidence
90% confidence
Finding
该文档将“分析”“策略”“评估”“建议”等非常宽泛的自然语言词作为优先触发提示词的条件,容易在大量正常对话中误触发相关技能或提示链。若这些提示进一步驱动外部工具调用或生成交易建议,可能导致非预期的数据访问、错误上下文注入,或在未经用户明确授权下执行高风险金融分析流程。

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal