ClawHub

Crypto SAFE Portfolio Analyzer Pro

Security checks across malware telemetry and agentic risk

Overview

This looks like a real crypto portfolio tool, but it also includes under-disclosed trading-signal and aggressive strategy behavior that users should review carefully before installing.

Install only if you are comfortable reviewing and controlling the trading-signal parts yourself. Keep holdings, cost basis, wallet addresses, generated reports, and Discord outputs private; avoid running the JavaScript scanner or automation examples unless you intend to receive speculative crypto alerts and send watchlist data to third-party market-data services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities that read local files for holdings/configuration and make outbound network requests to CoinGecko, but it declares no corresponding permissions. That creates a transparency and policy-enforcement gap: users or hosting platforms may allow execution under the false assumption that the skill is offline or has no data-access needs, increasing the chance of unintended data exposure or unreviewed network access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
A documented purpose/behavior mismatch is security-relevant because it hides materially different behavior from the user and reviewer. If the skill also performs trading-opportunity scanning, sentiment aggregation, and alert generation beyond simple portfolio tracking, users may grant trust, automation, or access on a misleading premise, enabling unreviewed external calls and higher-risk financial decision support.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The example configuration includes Discord server identifiers and automated trading-related controls that exceed the stated purpose of portfolio tracking and P&L analysis. This broadens the skill’s operational scope, increases the chance of hidden messaging/automation behavior, and can mislead users into granting trust or configuration access for functionality they did not intend to enable.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The configuration defines leveraged funding-arbitrage, momentum entry/exit rules, and regime-based trading actions despite the skill being ներկայացրված as a safe portfolio analyzer. In this context, embedding trading logic is dangerous because it can normalize or enable speculative automated behavior, potentially causing unauthorized or high-risk financial actions that users would not expect from a reporting tool.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code searches several local filesystem paths and loads whichever JSON config file exists, including a user home-directory path outside the skill's own working data. That gives the skill broader local file-read capability than its stated purpose requires, and in an agent setting this can expose unintended local data if path control or environment assumptions are abused.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The portfolio command treats the --holdings argument as either inline JSON or an arbitrary filesystem path and then reads that file directly. In an agent context, this creates a generic local file-reading primitive unrelated to normal portfolio analysis, which could be misused to access sensitive local files if an attacker can influence arguments.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation materially contradicts the declared skill purpose. Instead of safe portfolio tracking and P&L analysis, it performs market scanning and produces trading-oriented alerts, which can bypass user and platform expectations about the skill's behavior and risk profile. In this context, the mismatch is especially dangerous because users may trust it as a benign analytics tool while it nudges speculative behavior.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module header explicitly describes a Discord crypto opportunity scanner, which conflicts with the advertised safe portfolio-analysis capability. This kind of deceptive or inconsistent documentation increases the chance that risky functionality is hidden under a safer label, undermining informed consent and review controls. The skill context makes this more dangerous because the published description promises low-risk portfolio tracking.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The analysis engine emits explicit speculative recommendations such as 'BUY THE DIP,' 'RIDE BREAKOUT,' and 'REVERSAL PLAY.' That goes beyond passive portfolio analytics into actionable financial advice, creating user-harm, compliance, and trust risks—especially when the skill is presented as a safe tracker rather than a trading assistant.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill states it fetches live prices from CoinGecko while processing a user's holdings/watchlist, but it does not provide a clear user-facing privacy warning about outbound data transmission. Even if only coin symbols are sent, portfolio composition and watchlists can reveal sensitive financial interests, and users should be informed before such data is transmitted to third parties.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Discord integration example encourages sending detailed portfolio value and P&L data to an external messaging platform without any warning about privacy, access controls, or data minimization. Financial holdings and performance data are sensitive, and publishing them to a chat service can expose a user's net worth, positions, and trading behavior to unintended recipients if the channel, bot token, or server permissions are misconfigured.

Session Persistence

Medium
Category
Rogue Agent
Content
### 3. Set Up Configuration

For advanced features like cost basis tracking, create `portfolio-config.json`:

```json
{
Confidence
78% confidence
Finding
create `portfolio-config.json`: ```json { "cost_basis": { "BTC": 45000, "ETH": 2800, "SOL": 85 }, "watchlist": ["BTC", "ETH", "SOL", "DOGE", "XRP"], "target_allocation": { "BT

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal