ClawHub

Meme Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a meme-token scanner, but it uses broad local Chrome debugging access and includes mismatched or under-disclosed behavior that users should review before installing.

Install only if you are comfortable giving the skill access to a dedicated Chrome DevTools session. Use a clean browser profile with no sensitive logins, keep port 9222 closed except while scanning, review or remove the legacy Ave.ai script and exposed key, and avoid enabling the hourly cron until you accept the persistence and browser-control behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents capabilities for network access, local file persistence, and execution via Python, but declares no permissions. That omission prevents users and the platform from understanding the actual trust boundary, especially because the skill also persists scan history and reaches external services. In a skill that connects to browser CDP and external APIs, undeclared capabilities materially increase the risk of unexpected data access or abuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documentation claims the tool is completely based on the GMGN official API, yet the findings indicate additional third-party API usage, embedded API key use, browser-CDP-driven fetches to bypass Cloudflare, and heuristic scoring presented as AI analysis. This kind of description-behavior mismatch is security-relevant because it hides external dependencies, bypass behavior, and credential handling from the user, undermining informed consent and review. The context makes it more dangerous because the skill is explicitly framed as 'accurate and reliable' while masking materially different behavior.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Claiming the skill 'completely uses the GMGN official API' while requiring browser CDP to bypass Cloudflare is a deceptive implementation detail. CDP-based browser control expands the attack surface significantly beyond normal API calls, enabling arbitrary web requests and interaction with a privileged local browser session. In this skill context, that discrepancy increases risk because users may authorize what appears to be a simple API client while actually granting browser-automation capability.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation repeats an API-only claim while also documenting non-API Cloudflare-bypass behavior. Repeated contradictory claims are not merely a wording issue: they can cause reviewers to underestimate the skill's effective privileges and execution model. Because bypassing access controls through browser automation is more sensitive than ordinary API consumption, the mismatch is security-significant in context.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The implementation depends on a local Chrome DevTools session and uses Runtime.evaluate to execute fetches inside a live browser context. This can inherit the browser's session state, cookies, or authenticated context, creating undisclosed access to local browsing state and making outbound requests with more privilege than a normal server-side HTTP client.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises that it uses only the GMGN official API, but it actually automates a local Chrome DevTools instance and explicitly states it uses CDP to bypass Cloudflare. That creates a trust and transparency issue, and it expands the attack surface by depending on a privileged local browser debugging endpoint that may expose session state or be abused to make authenticated requests through the user's browser.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded API key in source code is a real secret-management vulnerability. Anyone with access to the skill can extract and reuse the credential, leading to unauthorized API consumption, quota exhaustion, billing abuse, account suspension, and possible linkage of activity back to the skill owner.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Using Chrome DevTools to issue fetch requests from a browser page can transmit browser/session context to external services without clear disclosure. In a skill context, this is more dangerous because it bridges local browser state with automated remote requests, potentially exposing authenticated context or enabling unintended tracking through the user's existing browser session.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists scan history to a fixed path under /root without notice, which silently stores user activity and can create privacy and operational issues. A fixed privileged path also risks overwriting shared state, leaking data across runs, or failing unpredictably depending on execution context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code hard-codes and transmits persistent device- and client-identifying parameters in every request without informing the user. This enables tracking, impersonation of a specific client fingerprint, and may expose users to privacy or account-linkage risks if the identifiers are tied to service-side monitoring.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal