ClawHub

Crypto Arbitrage CN | 加密货币套利监控

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it checks public crypto prices for arbitrage and can optionally send Telegram alerts, with no evidence of trading, theft, or destructive behavior.

Install this if you want a crypto price monitor, not an automated trader. Prefer `--once` for single checks, start continuous mode only intentionally, and use a dedicated Telegram bot token if enabling alerts. Verify any arbitrage opportunity yourself before trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises and instructs execution of a Python monitor that uses network access to query exchange APIs and environment variables for Telegram credentials, yet it declares no corresponding permissions. This creates a transparency and governance gap: users or host systems may authorize or invoke the skill without understanding that it can reach external services and read secrets from the environment.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad terms like “crypto”, “arbitrage”, and “价格差”, which can match ordinary discussion rather than an explicit request to run this skill. Over-broad activation can cause unintended invocation of a networked, market-monitoring skill, potentially leading to unnecessary external requests or exposure of user intent in contexts where the user did not mean to engage the tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal