ClawHub

Token Analyzer

Security checks across malware telemetry and agentic risk

Overview

This token-analysis skill appears purpose-built, but it asks users to expose a Chrome debugging session and includes under-disclosed browser automation, social-media enrichment, and legacy third-party API code.

Install only if you are comfortable running this against a dedicated disposable Chrome profile with remote debugging enabled. Do not attach it to your normal logged-in browser, close port 9222 after use, and review whether GMGN, Twitter/X via bird, and the packaged legacy Ave.ai script are acceptable for your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation instructs use of both shell commands and network access, but no explicit permissions are declared. This creates a transparency and sandboxing problem: users or the host system may approve a seemingly low-risk skill that actually requires broader capabilities, increasing the chance of unintended command execution or outbound access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior exceeds the stated purpose: besides querying GMGN, it references browser automation/CDP usage and added Twitter/X analysis via bird CLI, while the description claims an official-GMGN-based token analysis tool. This mismatch undermines informed consent and can conceal unexpected data collection, third-party access, or secret-bearing integrations, making review and policy enforcement harder.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill claims to be based only on the official GMGN API, but later documents use of a third-party CLI to fetch and analyze developer Twitter data. That undisclosed expansion of scope changes the trust boundary and may expose users to additional data collection, external requests, and privacy or compliance issues they did not agree to.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Profiling social-media accounts and reviewing tweet content goes beyond straightforward token analytics and introduces surveillance-style data processing. In the context of a token analysis skill, this broader capability is more dangerous because users may not expect identity inference, behavioral classification, or reputational risk scoring against individuals.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script connects to a local Chrome DevTools endpoint and uses Runtime.evaluate to execute arbitrary JavaScript in an existing browser page context. This grants access to the browser's authenticated session, cookies, and origin-bound privileges, which is far beyond normal token-analysis needs and creates a session-scraping capability that could be repurposed to access protected data or internal resources.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code does not operate as a simple official API client; instead it discovers a live Chrome tab and fetches data through that browser context. This effectively piggybacks on a user's existing browser state to bypass normal access controls or anti-bot protections, making the skill more dangerous because its stated purpose is token analysis, not browser-session extraction or scraping.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script attaches to a local Chrome DevTools endpoint and uses Runtime.evaluate/callFunctionOn to execute browser-side JavaScript fetches. That capability is significantly more powerful than ordinary HTTP requests because it can leverage an existing browser session, cookies, and other authenticated browser context, which creates a risk of local privilege misuse or unintended access to data beyond the stated token-analysis purpose. In this skill context, using DevTools to drive a real browser is less justified and therefore more suspicious than a normal API client test script.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script connects to a local Chrome DevTools endpoint and uses Runtime.evaluate to execute JavaScript in the browser context, which is a powerful capability well beyond ordinary token analysis. If reused, modified, or run in an environment with an exposed debugging port, it can drive an existing browser session, inherit that session’s cookies/auth state, and perform arbitrary web requests or actions as the user.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file contains a hard-coded Ave.ai API key directly in source code. Embedded secrets are dangerous because anyone with code access can reuse the credential, abuse the third-party account, exhaust quotas, or incur billing and reputational damage; in a distributable agent skill, exposure is especially likely.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script silently uses Ave.ai as an additional data source even though the skill description says it is based on the official GMGN API. This is a security-relevant capability mismatch because user input and query metadata are disclosed to an undisclosed third party, undermining trust, privacy expectations, and auditability.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code connects to a local Chrome DevTools endpoint and can drive an existing browser tab to fetch remote content and scrape page text. This is more dangerous than a normal API-only skill because it expands the attack surface to browser automation and access to whatever privileged browsing context is already open on localhost:9222.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill claims GMGN-API-based token analysis, but it silently expands scope by invoking an external bird CLI to collect Twitter/X data. That creates an undisclosed dependency and expands the attack surface to the local environment, the external tool, and any credentials or configuration that tool may use.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The implementation collects extra social-media data outside the stated GMGN-only scope, which means users may unknowingly expose their environment to additional tooling and network interactions. In a skill ecosystem, this mismatch is security-relevant because reviewers and users rely on the manifest to understand what code will execute and what data sources it will touch.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is explicitly designed to use a browser and Chrome DevTools to bypass Cloudflare protections instead of directly using a documented API flow. This is dangerous because it requires attaching to a locally exposed debugging interface, increases privilege over the user's browser context, and materially exceeds the expected behavior of a normal API client.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script explicitly states it uses a browser to bypass Cloudflare and depends on a local Chrome DevTools session to do so. That introduces undisclosed browser automation and anti-bot evasion behavior far beyond ordinary token analysis, and can expose the user's active browser context, cookies, and session state to the script.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code enumerates all local Chrome tabs and attaches to any gmgn.ai tab, or otherwise the first available page, which gives it access to arbitrary user browsing context. This is broader than necessary for token analysis and could allow interaction with unrelated pages, exposing sensitive content or authenticated sessions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The implementation sends Runtime.evaluate and Runtime.callFunctionOn commands over DevTools to execute JavaScript in the browser page. That is effectively remote code execution inside the user's browser context and is far more powerful than simple HTTP requests, creating risk of session misuse, data access, or unintended actions if inputs or target pages change.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script connects to a local Chrome DevTools instance and uses Runtime.evaluate to execute JavaScript that performs arbitrary fetch requests in the browser context. That is broader than simple token lookup logic and can inherit the browser's network reach, cookies, and authenticated session state, creating a capability expansion that could be abused if the fetched URL becomes attacker-influenced or if a sensitive local browser is exposed on port 9222.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes collecting and analyzing developer Twitter data without any explicit warning about privacy implications. This is risky because it normalizes processing personal or quasi-personal social-media data without consent language, retention limits, or notice about how those inferences are used.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script connects to a local Chrome DevTools endpoint on localhost:9222 and uses Runtime.evaluate to execute JavaScript in a browser page, then performs network fetches through that browser context without any user awareness or consent. This is dangerous because DevTools access can expose or misuse the user's active browser session, including authenticated context, cookies, and page privileges, turning a local analysis helper into a capability for covert browser-assisted data access.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code sends outbound requests through a browser debugging session without any disclosure or consent mechanism, which hides that the browser is being used as a privileged network execution environment. In this skill context, that is more dangerous because a token-analysis tool is expected to query APIs directly, not to silently piggyback on a user’s live browser session.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script embeds fixed device_id, fp_did, and client_id values in outbound requests. Hardcoded identifiers can misrepresent the client, undermine transparency, create tracking/privacy concerns, and may violate API usage expectations or cause all users of the script to share the same fingerprint.

Missing User Warnings

High
Confidence
99% confidence
Finding
The hard-coded Ave.ai credential is not only stored insecurely but is automatically transmitted in outbound requests without any disclosure to the user. This creates immediate secret leakage and unauthorized-use risk, and the skill context makes it worse because users would reasonably expect a token analysis tool not to embed and silently spend third-party credentials.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script sends the queried token address and chain-derived identifier to Ave.ai without informing the user that their inputs are being shared with a separate third party. While the data is not highly sensitive by itself, undisclosed outbound sharing violates the stated skill boundary and can expose usage patterns, addresses of interest, and operator behavior to external services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script hard-codes and transmits stable device and client identifiers to a third-party service without any warning or consent flow. Persistent identifiers enable cross-session tracking and can tie user activity to a durable fingerprint, which is a privacy and operational-security concern in a security-sensitive tooling context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal