Goldrush CLI

Security checks across malware telemetry and agentic risk

Overview

This is a documented guide for using the GoldRush blockchain CLI, with disclosed API-key, streaming, and Claude MCP setup behavior.

Before installing, confirm you trust the @covalenthq/goldrush-cli npm package and are comfortable storing a GoldRush API key in your OS keychain. Only run goldrush install if you want Claude Desktop or Claude Code to have GoldRush MCP tools available, and stop streaming commands or use logout when you are done.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to run `goldrush install` to register an MCP server with Claude, but it does not explicitly warn that this modifies local Claude/MCP configuration. In an agent setting, silent configuration-changing steps are risky because users may not realize they are authorizing persistent tool integration on their machine.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal