ClawHub

Pond3r Skill - Query Onchain Data

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a disclosed Pond3r analytics integration, but it also documents creating scheduled remote reports despite presenting itself mainly as read-only querying.

Review before installing. Use a dedicated Pond3r API key, avoid putting secrets or unrelated private data in SQL queries or report descriptions, and only allow scheduled report creation after an explicit user request. Confirm how to delete or disable any reports created in the Pond3r account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented primarily as a read-only MCP querying integration, but it also instructs use of a separate REST API that performs a POST to create scheduled reports. That expands capability from passive querying to state-changing external actions, which can surprise the agent/runtime and cause unreviewed outbound data transmission or persistent report creation.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The skill says not to switch to other sources without user approval, but later introduces alternate REST API usage and retry behavior outside the earlier MCP-only workflow. This inconsistency can cause agents to broaden execution paths and make network calls the user did not expect, weakening operator control and policy enforcement.

External Transmission

Medium
Category
Data Exfiltration
Content
For scheduled reports and structured JSON delivery, use the REST API:

- **Create report**: `POST https://api.pond3r.xyz/v1/api/reports` with `description`, `schedule`, `delivery_format`
- **Get latest**: `GET https://api.pond3r.xyz/v1/api/reports/{reportId}/latest`
- **Headers**: `x-api-key: <API_KEY>`
Confidence
88% confidence
Finding
https://api.pond3r.xyz/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal