ClawHub

Airdrop Monitor CN

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local airdrop-monitoring tool, but it includes live billing code that can charge users or generate payment links without a per-run confirmation or sandbox guard.

Install only if you intentionally want a paid local monitor and understand the SkillPay flow. Keep billing environment variables unset for free/local use, do not run the cron example with billing credentials unless repeated charges are intended, and avoid verify_billing.py with real users until it has a dry-run or explicit confirmation safeguard.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This skill is described as a monitoring assistant, but the file introduces payment and charging capabilities backed by environment-provided credentials. That mismatch increases supply-chain and user-trust risk because operators or users may not expect a monitoring skill to perform billing actions or hold billing secrets.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code performs remote charge and payment-link operations that go beyond the stated monitoring and analysis behavior of the skill. Even if legitimate, hidden monetization paths create a risky capability gap: anyone invoking this code may trigger financial operations and external data transmission that are not obvious from the skill purpose.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
This script is presented as a billing verification utility, but it performs live balance checks, charges a supplied user ID, and generates a payment link. In the context of an airdrop-monitoring skill, monetization actions are outside the stated purpose and create a clear risk of unauthorized financial operations if run with real credentials.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The call to charge_user(args.user_id, amount=args.amount) can perform a real debit against an arbitrary supplied user ID with no confirmation, authorization check, or test-mode enforcement visible in this file. For a monitoring assistant, this capability is especially dangerous because it enables unintended or abusive billing unrelated to the core function of tracking announcements.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Generating payment links is a monetization function unrelated to the documented monitoring workflow, and doing so for any provided user ID may enable phishing-like misuse, spam, or unauthorized payment requests. While less severe than direct charging, it still expands the skill's capability into financial operations without clear need or user-facing safeguards.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code charges the user automatically in handle_request() before executing the monitor, based solely on the presence of billing environment variables. There is no explicit runtime confirmation, consent prompt, or clear disclosure in the execution flow, so users may incur charges unexpectedly, which is a real security/trust issue for a paid automation skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The billing functions transmit user identifiers to an external payment service and can trigger charges, yet there is no visible consent, warning, or disclosure mechanism in this code. In a monitoring-focused skill, silent payment-related processing is especially risky because users may not reasonably anticipate financial actions or third-party sharing of identifiers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script performs potentially real billing actions immediately from CLI input and catches failures only after the calls occur, without any user-facing warning, confirmation step, or visible dry-run mode. In a skill context, this makes accidental or unauthorized execution more likely, especially when operators may assume a harmless verification check.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal