ClawHub

OpenScan Crypto

Security checks across malware telemetry and agentic risk

Overview

This skill coherently provides read-only blockchain lookup and RPC management, with disclosed external lookups and local config/cache writes but no hidden or destructive behavior.

Install if you are comfortable with blockchain addresses, transaction hashes, selectors, and RPC queries being sent to public RPC providers and the disclosed lookup services. Use privacy-tagged RPCs or trusted custom RPCs for sensitive investigations, and review ~/.config/openscan-crypto/rpc-config.json after changing RPC settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The security section claims the skill is 'READ-ONLY,' but the documentation elsewhere states it writes cache and RPC configuration files locally. That mismatch can mislead operators or users into approving execution under the false assumption that the skill has no side effects, which weakens informed consent and review controls.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The CLI accepts arbitrary user-supplied RPC URLs via rpc-set --add/--rpcs and later uses them for network operations and benchmarking. In an agent skill context, this creates an SSRF-style capability and data-exfiltration risk because a prompt or user can steer the agent to connect to attacker-controlled or internal endpoints, causing requests from the host environment to untrusted destinations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The btc-address command sends the user-provided Bitcoin address to mempool.space over HTTPS without an execution-time warning or consent check. In this skill context, blockchain addresses can be sensitive identifiers, so silently disclosing them to a third party creates a privacy leak and may expose user interests, holdings, or investigative targets to an external service.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The code sends unknown transaction function selectors to 4byte.directory for signature resolution, which discloses user-derived blockchain activity metadata to a third party. While a 4-byte selector is limited and not full calldata, it can still reveal intended contract interactions and creates an undocumented outbound data flow, which is a real privacy issue in a blockchain-query skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal