ClawHub

GMGN Skill Token

Security checks across malware telemetry and agentic risk

Overview

This is a GMGN token research skill with disclosed API-key setup and network troubleshooting, but no evidence of hidden trading, exfiltration, or destructive behavior.

Before installing, verify that gmgn-cli is the package you intend to trust, and only provide a GMGN API key you are comfortable storing locally in ~/.config/gmgn/.env. Allow the IPv6 troubleshooting commands only if you are comfortable exposing local interface details and a public IP check during the session. Treat the skill's output as token research, not financial advice or automatic approval to buy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill directs the agent to inspect local network interfaces and query an external IP-check service (`ipv6.icanhazip.com`) to troubleshoot CLI access. That behavior is outside the core token-research function and unnecessarily expands system inspection and outbound network activity, creating avoidable exposure of host/network metadata.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The first-time setup flow has the agent generate an Ed25519 private key and then persist a user-provided API key in `~/.config/gmgn/.env`. This exceeds a read-only research skill and introduces secret generation and local credential handling, which can create long-lived sensitive material on the host and broaden the blast radius if the environment is later compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to take a user-supplied API key and write it to a persistent file without an explicit warning about persistence, local storage risks, or safer alternatives. This can lead users to disclose credentials into an agent workflow that stores them on disk, increasing the chance of unintended retention or later disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal