ClawHub

MintGarden

Security checks across malware telemetry and agentic risk

Overview

This is a read-only MintGarden API lookup skill with some documentation and command-label accuracy issues, but no evidence of hidden access, persistence, credential use, or destructive behavior.

Reasonable to install if you want a MintGarden/Chia NFT lookup tool. Be aware that anything you search or look up is sent to the MintGarden API, and treat trading-related outputs as informational because several command labels are broader than what the code actually returns. Review npm dependencies before installing and skip global CLI linking unless you need the mg or mintgarden commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The `collection activity` path accepts a collection identifier but ignores it and returns global marketplace events instead. This is a semantic integrity flaw: users may make decisions believing the output is scoped to a specific collection when it is not, which can mislead trading, moderation, or monitoring workflows.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The `stats` command claims to provide global statistics but actually returns the top collections list. This can cause users or downstream agents to trust incorrect semantics and act on misleading data, though it does not directly expose systems or data.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The `trending` command reuses the 24-hour top collections list rather than providing actual trending data. This is misleading behavior that can distort user understanding or automated ranking decisions, but the impact is primarily integrity-related and limited in scope.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill documentation describes search, profile, NFT, and collection lookups that transmit user-supplied queries, usernames, DIDs, launcher IDs, and collection IDs to the MintGarden API, but it does not warn users that their inputs are sent to a third-party service. This is a real privacy/transparency issue because users may provide identifiers they assume are processed locally, especially in chat contexts like Telegram or CLI wrappers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal