ClawHub

Deepblue Defi Api

Security checks across malware telemetry and agentic risk

Overview

This is a read-only DeFi data reference skill with no executable install behavior, but users should treat wallet lookups as visible to the external API despite the strong privacy wording.

Reasonable to install for read-only DeFi research. Use wallet scans only for addresses you are comfortable sending to deepbluebase.xyz, and do not rely on the no-logging wording as a privacy guarantee. Do not use any deposit, withdrawal, claim, payment, or trading endpoint unless separately reviewed and explicitly user-directed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The privacy section makes a strong claim that no IP addresses are stored or logged, while the documented rate limit is enforced per IP. Even if the implementation only keeps transient counters, the current wording is misleading because some form of IP-based processing or retention is required to distinguish requesters. In a security-sensitive agent context, inaccurate privacy claims can cause users to disclose wallet addresses or usage patterns under false assumptions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages users to submit wallet addresses for scanning but does not clearly warn that these addresses are sent to an external service and may be visible to the operator and upstream data providers. Wallet addresses are public on-chain identifiers, but linking them to a user's agent session, IP, or query timing can create privacy-sensitive correlation data. In an agent setting, this increases the risk of inadvertent deanonymization or profiling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal