ClawHub

Mobula - Smart Alerts & Monitoring

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only crypto alerting skill whose sensitive behavior is disclosed and purpose-aligned, though users should treat wallet and portfolio alerts as private data.

Install only if you want continuous crypto monitoring. Use private alert channels, avoid sending full wallet addresses or exact holdings unless necessary, protect the Mobula API key, and confirm how to disable heartbeat tasks before enabling 24/7 alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes sending alerts through third-party messaging platforms and shows examples containing wallet addresses, holdings, and trading activity, but it does not warn users that this information may leave the local agent environment and be exposed to external providers. In a crypto-monitoring context, portfolio composition and wallet tracking data are sensitive and can enable profiling, targeted phishing, doxxing, or unwanted surveillance if forwarded without user awareness.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly encourages sending portfolio, wallet, whale-tracking, and market alerts to third-party messaging platforms such as Telegram, WhatsApp, and Discord, but it does not clearly warn users that sensitive financial metadata may be shared with external services. This creates a real privacy/security issue because wallet addresses, holdings, trading patterns, and schedules can be exposed to providers or compromised chat accounts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal