ClawHub

SkillzMarket

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate paid-skill marketplace client, but it can use a wallet private key to make automatic USDC payments, including to arbitrary endpoints, without enforced limits or confirmation.

Install only if you intentionally want an agent-accessible tool that can spend USDC from a configured wallet. Use a dedicated low-balance wallet, avoid `direct` unless you fully trust the endpoint, review destination and price before paid calls, and do not send secrets or sensitive data in request JSON.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no explicit permissions while its documented behavior clearly requires access to environment secrets and outbound network communication. This weakens security review and user understanding because the skill can read a private key and contact external services without transparent permission scoping.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose says the skill searches and calls Skillz Market skills, but the command set also includes `direct <url> <json>`, which enables calls to arbitrary user-supplied URLs. In a skill that holds a cryptocurrency private key and can trigger paid requests, this mismatch is dangerous because users and reviewers may not realize it can send data and payments to untrusted endpoints outside the stated ecosystem.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The CLI exposes a `direct` mode that sends payment-enabled POST requests to any user-supplied URL, bypassing the Skillz Market discovery and trust model described by the skill. Because the same payment wrapper and private key-backed signer are used for arbitrary endpoints, a malicious or compromised URL could trigger unintended paid interactions, SSRF-like outbound access, or exfiltration of sensitive user-provided data to untrusted services.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The arbitrary external endpoint payment capability is inconsistent with the stated purpose of searching and calling Skillz Market skills, so it meaningfully expands the attack surface beyond the advertised trust boundary. This makes the tool more dangerous in context: users may assume marketplace vetting applies, while the code actually permits paid requests to any URL using the configured wallet credentials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README encourages users to invoke arbitrary third-party endpoints via the `direct` command while emphasizing automatic payment, but it does not clearly warn that user-supplied payloads may be sent to untrusted external services and that real USDC payments may be triggered as part of the request flow. In a skill that is explicitly designed to spend cryptocurrency and forward requests off-platform, missing consent and data-handling warnings materially increases the risk of unintended fund loss and sensitive data disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill documentation does not clearly warn that invoking `call` or `direct` can trigger real USDC-backed payments and transmit user-provided JSON to external services. This creates a meaningful risk of unintended financial loss and privacy exposure, especially because the skill is designed to automate payments using a configured private key.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `direct` command posts arbitrary caller-supplied input to an arbitrary URL without any warning, preview, or confirmation about data leaving the local environment. In a payment-enabled CLI, this can cause users or upstream agents to transmit secrets, personal data, or proprietary prompts to attacker-controlled endpoints under the mistaken belief they are interacting with the Skillz Market ecosystem.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal