ClawHub

Smart Money Miner

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed crypto wallet analysis tool that fetches public token and wallet-trading data, writes a local JSON result file, and does not show deceptive or destructive behavior.

Install only if you want a crypto-analysis skill that makes external API requests and writes a local results JSON file. Review the generated wallet lists before acting on them financially, and consider narrowing the trigger language if you maintain the skill to avoid accidental activation for non-crypto requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation clearly describes capabilities to read local files (skip list/results), write output files, and access external APIs, yet no permissions are declared. This creates a transparency and governance gap: an agent or reviewer cannot reliably understand or constrain what the skill may do, increasing the chance of unintended file or network access in deployment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad enough to match generic requests like finding profitable traders or good addresses outside the intended PumpFun/Four Meme wallet-analysis workflow. Over-broad activation can cause the wrong skill to run, exposing network/file capabilities in contexts where the user did not intend this specialized crypto-analysis behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The applicability section repeats broad activation criteria without clear boundaries, making accidental invocation more likely. In a skill that performs API-driven analytics and writes result files, misrouting ordinary requests into this workflow can lead to unnecessary external requests, incorrect outputs, or privacy surprises.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal