ClawHub

Gekko

Security checks across malware telemetry and agentic risk

Overview

This is a read-only DeFi analysis skill that uses a clearly documented remote Gekko API, with privacy and financial-risk cautions but no hidden execution, credential use, persistence, or fund movement.

Before installing, treat anything entered into this skill as shared with Gekko's remote service. Do not submit seed phrases, private keys, API keys, wallet auth material, confidential trading plans, or nonpublic strategy details. Verify any financial recommendation independently before moving funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill advertises a broad, open-ended chat capability about markets, strategies, tokens, and yields without clear boundaries on when it should be invoked. In an agent ecosystem, this can cause over-broad routing and unintended use of the skill for general financial advice or unrelated prompts, increasing the chance of unsafe delegation and confusing trust boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill repeatedly instructs users to send portfolio, token, and free-form query data to a third-party endpoint, but it does not clearly warn users that this data leaves the local environment and is transmitted to an external service. In a DeFi context, wallet-related interests, asset preferences, and strategy queries can reveal sensitive financial behavior and should be disclosed before use.

External Transmission

Medium
Category
Data Exfiltration
Content
**Usage:**
```bash
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \
  -H "Content-Type: application/json" \
  -d '{
    "capability": "portfolio_management",
Confidence
92% confidence
Finding
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Usage:**
```bash
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \
  -H "Content-Type: application/json" \
  -d '{
    "capability": "token_analysis",
Confidence
91% confidence
Finding
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Usage:**
```bash
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \
  -H "Content-Type: application/json" \
  -d '{
    "capability": "yield_optimization",
Confidence
91% confidence
Finding
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Usage:**
```bash
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \
  -H "Content-Type: application/json" \
  -d '{
    "capability": "market_intelligence",
Confidence
93% confidence
Finding
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Usage:**
```bash
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \
  -H "Content-Type: application/json" \
  -d '{
    "capability": "chat",
Confidence
95% confidence
Finding
curl -X POST https://gekkoterminal.ai/api/a2a?agent=gekko \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal