ClawHub

juglans market price (ALL markets, ALL realtime)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent market-price lookup skill, with the main caution being optional unpinned GitHub-based installation steps.

Prefer installing through ClawHub or reviewing the downloaded files before running the shell installer. Use the skill for live market quotes, and assume the asset symbols you ask about are sent to Juglans Finance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README recommends a one-line installer that downloads a remote script and executes it immediately with bash. This bypasses any opportunity for users to inspect the script, verify integrity, or pin to a reviewed version, so a compromised GitHub repo, branch, CDN path, or maintainer account could lead directly to arbitrary code execution on the user's machine.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The installer fetches a remote SKILL.md over the network and writes it directly into the user's active skills directory without any integrity verification, pinning, or explicit warning/confirmation. Because skill content is effectively trusted by the host agent after installation, a compromised upstream repository, tampered network path, or unexpected file change could silently alter agent behavior and introduce prompt-injection or malicious instructions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal