ClawHub

Nft Floor Price Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill coherently checks NFT floor prices and can optionally send Discord webhook alerts, with no evidence of hidden data access, persistence, or destructive behavior.

Install only if you are comfortable with the skill making network requests to NFT price APIs and, when enabled, sending alert details through a Discord webhook. Treat the Discord webhook URL and OpenSea API key as secrets, prefer environment variables over command-line sharing, and confirm intent before using broad trigger phrases or enabling Discord alerts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is broad enough to match routine NFT discussions such as 'floor price', 'NFT portfolio', and 'collection floor', which can cause the skill to activate outside clear user intent. In an agent ecosystem, over-broad invocation increases the chance of unintended execution and can lead to unnecessary external API calls or alert setup actions without sufficiently specific user consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents sending alerts to Discord via webhook but does not warn that collection data, alert conditions, and potentially user-linked monitoring activity will be transmitted to a third-party service. This is risky because users may not realize that enabling Discord alerts exports data externally, and webhook URLs are sensitive secrets that can be abused if exposed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal