ClawHub

Chainstream Data

Security checks across malware telemetry and agentic risk

Overview

This skill is largely a real ChainStream data integration, but it also gives agents wallet, payment, private-key, and mutating API workflows that exceed a simple read-only analytics purpose.

Install only if you intend to use ChainStream as a live third-party crypto data and wallet-connected service. Before use, require explicit approval for wallet creation, private-key import, webhook creation, API-key storage, and any payment or transaction-signing step; prefer read-only API-key or MCP access for analytics.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (24)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README mixes a supposedly read-only data skill with broader project capabilities that include DeFi execution and wallet-creating authentication flows. In an agent ecosystem, this can mislead operators or downstream agents into granting broader trust or invoking adjacent transactional behaviors, increasing the chance of unintended wallet creation or financial actions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented webhook management endpoints materially expand the skill from read-only on-chain analytics into outbound integration and secret-management functionality. In an agent context, undocumented create/update/delete and secret-rotation capabilities can be abused to exfiltrate data, redirect events, or alter integrations beyond the user’s expected scope.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
Red packet create/claim/send endpoints are transactional, state-changing capabilities unrelated to the declared analytics and query purpose of the skill. In a blockchain agent, hidden fund-moving or reward-distribution actions significantly increase risk because a user may authorize what appears to be analysis while the skill exposes mechanisms that can transfer value or trigger unwanted on-chain operations.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
An IPFS presign endpoint introduces upload capability that is outside the described analytics scope and can enable unauthorized content publication or data exfiltration. In an agent setting, presigned upload URLs can be leveraged to move user data to external storage without the user realizing the skill supports content transfer.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The watchlist endpoint performs account-affecting mutation rather than passive analysis, which is inconsistent with the skill’s stated purpose. Undisclosed account-management actions can lead to unwanted tracking, privacy issues, or persistent state changes in a user’s service account when the user expects only data retrieval.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The schema exposes capabilities for swap execution and webhook scope management that go beyond the stated skill purpose of querying and analyzing on-chain data. This creates a scope-expansion risk: an agent or integrator relying on the manifest may unknowingly grant a skill transactional or persistent-notification capabilities, which could enable unintended fund movement or external data exfiltration paths if those features are wired up.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation introduces webhook creation and external callback delivery, which expands the skill from passive query/analysis into active outbound integration. That capability can transmit event data to arbitrary URLs and changes the trust/privacy model, especially because the skill metadata emphasizes query/analysis and streaming rather than configuring persistent outbound notifications.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The routing guidance is broad enough that this skill could be invoked for many generic token, wallet, or market questions without strong narrowing conditions. In this context, over-invocation is risky because the skill's execution path includes external CLI/MCP usage and the documented auth flow can lead to account creation or subscription checks, increasing the chance of unnecessary third-party data disclosure or unintended side effects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file instructs the agent to 'MUST run chainstream login before any CLI command' and states that this creates a wallet and may auto-grant or upgrade trial plans, but it does not require explicit user consent at the moment of use. That creates a meaningful risk of unauthorized account creation, wallet provisioning, email binding, or plan changes on a third-party service triggered by what appears to be a read-only data request.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The usage examples include swap and routing commands alongside harmless data queries without a clear safety boundary or warning that on-chain actions may be irreversible and financially risky. In agent-assisted contexts, examples strongly influence behavior, so this can normalize or trigger transactional actions when a user expected analytics only.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is extremely broad and can trigger on many generic crypto requests, which increases the chance the agent invokes this skill in contexts involving wallet analysis, token security, or trading-adjacent actions without strong user intent confirmation. In this skill, broad routing matters because the documented workflow can progress into authentication, wallet creation, subscription checks, and even payment-related flows, expanding the blast radius of an unnecessary invocation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to run login and raw private-key import commands, including wallet creation and `wallet set-raw`, without prominent security warnings about key exposure, irreversible fund loss, malware risk, or the need for explicit informed consent. In an agent setting, documenting these flows without guardrails can normalize sensitive credential handling and make accidental or unsafe key ingestion more likely.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The reference includes sensitive wallet analytics, webhook secret retrieval/rotation, and upload-related endpoints without warning users about privacy, secret handling, or state-changing consequences. In an agent environment, lack of clear security guidance increases the chance that operators or users expose wallet intelligence, mishandle secrets, or approve actions with broader impact than expected.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reference instructs the agent to load a DeFi swap skill as the next step after token discovery without explicitly requiring a user confirmation step, risk disclosure, or clarifying that any swap would be a financial transaction with irreversible consequences. In an agentic setting, this can normalize or accelerate movement from analysis to execution, increasing the chance of users being steered into trades they did not fully intend or understand.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The examples encourage wallet profiling, PnL lookup, trader identification, and webhook setup without privacy or data-sharing warnings. Even though the data is on-chain, aggregating and forwarding wallet analytics can expose sensitive behavioral insights and may cause users to transmit monitored addresses or webhook endpoints without understanding the implications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation displays a live-style API key value (`cs_live_...`) and instructs users to set it directly on the command line, which can leak credentials via shell history, process listings, CI logs, terminal recordings, or audit trails. In an agent/automation context, this is more dangerous because operators often paste commands into shared environments and logs are commonly centralized.

External Transmission

Medium
Category
Data Exfiltration
Content
# REST
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.chainstream.io/v2/wallet/sol/5Q544fKrFoe6tsEbD7S8EmxGTJYAKtTVhAW5Q5pge4j1/pnl"
```

```typescript
Confidence
72% confidence
Finding
https://api.chainstream.io/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# REST
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.chainstream.io/v2/wallet/bsc/0xABC.../net-worth-details"
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.chainstream.io/v2/wallet/bsc/0xABC.../tokens-balance"
```
Confidence
74% confidence
Finding
https://api.chainstream.io/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.chainstream.io/v2/wallet/bsc/0xABC.../net-worth-details"
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.chainstream.io/v2/wallet/bsc/0xABC.../tokens-balance"
```

```typescript
Confidence
74% confidence
Finding
https://api.chainstream.io/

External Transmission

Medium
Category
Data Exfiltration
Content
curl -X POST -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://my-server.com/webhook","filterTypes":["trade.whale"]}' \
  "https://api.chainstream.io/v2/webhook/endpoint"
```

## Batch Token Queries
Confidence
93% confidence
Finding
https://api.chainstream.io/

External Transmission

Medium
Category
Data Exfiltration
Content
### Method 2: Standard x402 GET (any x402-compatible wallet)

```
GET https://api.chainstream.io/x402/purchase?plan=<PLAN>
→ 402 + Payment-Required header → client signs → retries with Payment-Signature → 200
```
Confidence
90% confidence
Finding
https://api.chainstream.io/

External Transmission

Medium
Category
Data Exfiltration
Content
client.register("solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp", new ExactSvmScheme(solanaSigner));

const x402Fetch = wrapFetchWithPayment(fetch, client);
const resp = await x402Fetch("https://api.chainstream.io/x402/purchase?plan=<PLAN>");
```

Required packages: `@x402/core`, `@x402/fetch`, `@x402/evm` (for Base), `@x402/svm` (for Solana)
Confidence
90% confidence
Finding
https://api.chainstream.io/

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Tempo Wallet handles 402 → sign → retry automatically
tempo request "https://api.chainstream.io/mpp/purchase?plan=<PLAN>"
```

Tempo Wallet uses passkey (WebAuthn) authentication — the user needs to complete a one-time browser auth on first setup. After that, the session persists and agent operations work without further browser interaction.
Confidence
88% confidence
Finding
https://api.chainstream.io/

External Transmission

Medium
Category
Data Exfiltration
Content
Any wallet holding USDC.e on Tempo (chain ID 4217) can call the purchase endpoint directly:

```
GET https://api.chainstream.io/mpp/purchase?plan=<PLAN>
→ 402 + WWW-Authenticate: Payment challenge
→ Sign and retry with Authorization: Payment credential
→ 200 { apiKey, plan, expiresAt }
Confidence
88% confidence
Finding
https://api.chainstream.io/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal