ClawHub

Wojak.ink - NFT Browser

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent NFT market browser that uses public APIs and scoped local JSON history storage, with no evidence of hidden access, wallet control, or destructive behavior.

Safe to install if you are comfortable with a Node CLI that contacts public NFT APIs and keeps local market-history JSON files. Review npm dependencies before installing, treat rarity and deal outputs as informational estimates, and delete the skill's data directory if you do not want retained local history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
91% confidence
Finding
The feature list explicitly states that the skill stores historical market data locally in persistent JSON files, but it does not clearly warn users during setup or usage that local data will be written and retained. This creates a transparency and privacy issue: users may unknowingly leave market activity or usage-derived records on disk, which can matter on shared systems or managed environments.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill advertises automated historical data storage and tracking, but the documentation does not warn users that marketplace data may be persisted. While this appears to be analytics-oriented rather than malicious, undisclosed retention can create privacy and transparency issues, especially if user-triggered queries or derived datasets are stored over time.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill documentation names third-party APIs but does not clearly warn users that their commands and lookup terms may be transmitted to external services. Even if the data sent is limited to NFT IDs, traits, or search terms, users should be informed because these requests leave the local environment and may be logged by those services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal