ClawHub

Goldrush Streaming API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for GoldRush live blockchain data; the main risks are normal API-key handling and wallet-monitoring privacy cautions, not hidden or destructive behavior.

Install only if you trust GoldRush/Covalent and the referenced packages. Keep the GoldRush API key in an environment variable or secret manager, avoid putting it in browser-side code, repos, logs, screenshots, or shell history, and monitor only wallet addresses you have a legitimate reason to track.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The Python sample contradicts the surrounding documentation by sending init_payload={"apiKey": API_KEY} even though the documented and required field is GOLDRUSH_API_KEY, and it also references API_KEY after defining GOLDRUSH_API_KEY. This is a real documentation security issue because users will copy a broken auth pattern, causing authentication failures and encouraging insecure troubleshooting such as hardcoding secrets, disabling checks, or scattering keys through logs while trying to diagnose the problem.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill documents real-time monitoring of wallet addresses, decoded transactions, and raw logs without any privacy, surveillance, or sensitivity warning. In this skill context—explicitly marketed for trading bots, alerting systems, copy-trading, and automation—this makes mass monitoring and profiling of wallet behavior easier to operationalize, increasing the risk of misuse for targeted surveillance, front-running, or deanonymization workflows.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The documentation includes client and terminal examples that place API keys directly into connection payloads and command lines without warning about secret handling, shell history, screenshots, or logging exposure. In this skill's context, users are expected to work with live trading and wallet-monitoring automation, which increases the chance that examples are copied into shared terminals, repos, notebooks, CI logs, or bot output, leading to credential leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal