ClawHub

ConvoYield

Security checks across malware telemetry and agentic risk

Overview

The local conversation analytics core exists, but the package also ships under-scoped cloud billing, telemetry, and cryptocurrency-style wallet/mining features.

Install only if you intentionally want the broader ConvoYield ecosystem, not just a local analytics helper. Before use, treat cloud telemetry, billing, wallet/mining, marketplace, and persistent ledger features as separate high-impact capabilities; avoid interactive/coin/cloud modes unless you have reviewed their data flows, storage locations, network exposure, and payment behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (104)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill claims no external APIs or dependencies, yet the detected capabilities include environment access, file read/write, and network activity without any declared permissions. This mismatch is dangerous because it can enable undeclared data access, local persistence, and outbound communication that users and reviewers are not expecting, undermining trust and permission boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a major description-behavior mismatch: the skill markets itself as local, dependency-free, and offline, while the analyzed behavior includes telemetry, remote HTTP communication, cloud services, billing, persistent databases, premium activation, webhooks, and even cryptocurrency/blockchain features. Such concealment is highly dangerous because it can mask extensive data exfiltration, financial workflows, attack surface expansion, and unauthorized monetization behind a benign-looking analytics skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file implements remote cloud connectivity, API-key provisioning, server communication, and billing/checkout flows despite the skill being described as a local, no-dependency analytics engine with no external APIs. This is dangerous because it materially expands the trust boundary, causes undisclosed data egress to a configurable server, and introduces monetization/account-management capabilities users would not reasonably expect from the stated functionality.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Embedding billing and subscription management in an analytics dashboard is outside the narrowly stated purpose and creates unnecessary capability for account changes, redirects, and monetization workflows. Even if not directly exploitable on its own, this unjustified functionality increases attack surface and can mislead users into authorizing payments or trusting a broader cloud service than advertised.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The webhook registration endpoint accepts arbitrary URLs from authenticated users without visible validation, allowlisting, or scheme restrictions. If downstream delivery logic performs outbound requests to those URLs, this can enable SSRF-style abuse, internal network probing, or abuse of the service as a request relay.

Context-Inappropriate Capability

High
Confidence
83% confidence
Finding
Interactive mode silently creates a wallet, attaches a mining bridge, and later persists ledger state even though a user would reasonably expect only conversational analysis. This can lead to unexpected local state creation and exposure of financial-like identifiers, increasing privacy and operational risk in a context that does not require such behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file contradicts the skill's stated 'No external APIs' claim by performing outbound HTTP telemetry with an API key, creating undisclosed data egress. Even if the payload excludes raw messages, exporting session-linked behavioral analytics off-box is security-relevant and can expose sensitive usage patterns or enable covert collection inconsistent with user expectations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module adds remote telemetry/export behavior that is not necessary for local conversational yield analysis, increasing attack surface and creating a hidden data flow outside the primary skill purpose. In this context, undeclared phone-home behavior is more dangerous because the skill advertises local processing and no external dependencies, so operators may deploy it in environments that assume no outbound network activity.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The docstring claims anonymized analytics and no personal information, but the code sends session_id plus detailed behavioral fields such as recommendations, conversions, phases, and sentiment-derived metrics. Session identifiers are often linkable, and these fields can still reveal sensitive user or business context, so the privacy assurances are misleading and may cause unsafe deployment decisions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This package explicitly exposes cryptocurrency, wallet, mining, marketplace, and ledger primitives that are unrelated to the declared purpose of conversational yield optimization. Even in this file, the public API advertises financial and persistent-value-transfer capabilities, which materially expands the skill’s operational scope and creates risk of hidden monetization, asset handling, or user deception.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Wallet, mining, tokenomics, marketplace, and ledger features are context-inappropriate for a conversation optimization skill and indicate covert financialization of user interactions. In this context, those components could be used to assign value to conversations, persist transaction-like records, or enable unauthorized economic behavior that users and operators would not reasonably expect.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The module documentation markets the package as a cryptocurrency and token-mining system, directly conflicting with the stated description of a zero-cost optimization engine. That mismatch is dangerous because deceptive framing can conceal sensitive functionality during review and increase the likelihood that operators deploy code whose real behavior and risk profile they do not understand.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code treats caller-supplied yield_proof as authoritative and uses it to mint rewards, but it never verifies that the claimed conversational value is tied to any real evidence or trusted computation. An attacker or dishonest operator can submit arbitrary values above the minimum threshold and continuously mint unbacked currency, undermining ledger integrity, token supply controls, and any downstream logic that relies on balances or rewards.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements cryptocurrency-style key generation, addressing, transaction hashing, and signing primitives that are unrelated to the declared purpose of a conversation-yield analytics skill. Even if not directly exploitable by itself, the presence of hidden financial/transaction infrastructure materially expands the capability surface and is suspicious because it enables unauthorized wallet or token functionality outside user expectations.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Keypair generation, address derivation, transaction hashing, and signing are unjustified capabilities for a conversational analytics engine and create an unnecessary high-risk feature set. In this context, such functionality is more dangerous because it is concealed behind an unrelated skill description, which could facilitate covert token, wallet, or transaction workflows without informed review or consent.

Intent-Code Divergence

High
Confidence
100% confidence
Finding
The verification function does not actually validate that the signature matches the message and key; it only checks that the input is a 64-character hex string and then returns true. This means an attacker can forge arbitrary 'valid' signatures by supplying any hex string of the right length, completely bypassing transaction authenticity and authorization.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file materially diverges from the declared skill purpose by implementing blockchain-style mining difficulty, proof-of-work validation, and nonce search logic inside a conversational yield optimization package. In an agent skill context, hidden or unjustified mining primitives are dangerous because they can enable unauthorized resource consumption, covert monetization, or later extension into cryptomining behavior without any user-facing justification.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The mine_block_hash function performs repeated SHA-256 hashing over a nonce range to search for a valid proof-of-work solution, which is effectively a mining primitive. For a skill advertised as having no external dependencies and focused on conversational economics, this capability is unrelated and creates a direct path to CPU abuse or stealth compute consumption if invoked repeatedly or at scale.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Difficulty adjustment, hash target generation, and hashrate estimation are context-inappropriate for a conversational analytics engine and indicate embedded cryptocurrency infrastructure beyond the stated purpose. Even if not actively exploited today, these primitives increase the attack surface and make the skill more suspicious because the surrounding context provides no legitimate need for blockchain consensus mechanics.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation attempts to normalize proof-of-work as part of 'conversational yield' while the implementation is standard mining logic, which is misleading and can conceal risky functionality during review. In security-sensitive agent ecosystems, deceptive framing makes harmful capabilities more dangerous because operators may approve or deploy the skill without understanding that it contains cryptomining-related code paths.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This module imports and wires blockchain, wallet, mining, tokenomics, marketplace, and ledger components into a skill advertised as a no-dependency conversational yield optimizer. That scope expansion is dangerous because it introduces financial-state management and value-transfer capabilities that users and reviewers would not reasonably expect from the stated skill purpose, increasing the risk of covert persistence, unauthorized asset operations, and deceptive behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Creating or importing wallets in a conversational analytics skill is unrelated to the declared functionality and handles sensitive secret material without clear necessity. This is dangerous because it expands the trust boundary to cryptocurrency key management, exposing users to secret-key mishandling, unexpected financial operations, and hidden state creation not implied by the skill description.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The attach method monkey-patches the engine's message-processing path so every user message can trigger proof submission, mining behavior, wallet auto-creation, and later persistence. This is dangerous because it covertly alters core runtime behavior in response to normal conversation flow, making financial side effects automatic and difficult for users or integrators to notice, audit, or opt out of.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The module exposes staking, unstaking, marketplace purchase, listing, and token transfer methods that are unrelated to conversational yield optimization and enable financial-like operations. In this context, these capabilities are dangerous because they add mechanisms for moving or locking value under the cover of a non-financial analytics skill, increasing the chance of abuse, policy evasion, or user deception.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The top-level documentation advertises automatic coin mining and blockchain integration while the overall skill metadata claims a pure conversational optimization engine with no external dependencies. This mismatch is dangerous because deceptive documentation and packaging reduce reviewer and user awareness, making it easier to smuggle in hidden financial behaviors and normalize unexpected mining or wallet operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal