ClawHub

Crypto Research Interactive Framework

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only crypto research framework whose file and network behavior is mostly disclosed and aligned with producing local research reports.

Install only if you are comfortable with the skill reading and writing within its workspaces folder and using web or optional MCP data sources for research. Avoid putting API keys in URL-based MCP examples; use environment-variable configuration instead. Review workspace documents before using autonomous mode, since it may load relevant prior outputs or documents without asking each time.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (44)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document explicitly claims the workflow is workspace-independent and does not update workspace state, yet later instructs the agent to write a file into the workspace. This inconsistency can mislead users, reviewers, or orchestrators about side effects, causing unexpected persistence of generated content and weakening trust and auditability.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The note saying no workspace state update is required directly contradicts the delivery instruction to write a markdown file under the workspace path. In agent systems, such contradictions are dangerous because downstream components may permit execution under a read-only or low-trust assumption while the skill actually persists artifacts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README states that CRIF 'activates automatically' from broad natural-language requests about crypto research, which can cause the skill to engage unexpectedly without an explicit consent or confirmation step. In an agent environment with file access and workflow orchestration, ambiguous triggers increase the chance of unintentional execution, unnecessary data access, or filesystem writes when the user only intended casual discussion.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README says the AI will write structured reports to the workspace, but it does not prominently warn users that running the skill may modify the filesystem. Because the documented environment explicitly includes read/write-capable AI assistants, this omission can lead to silent creation or overwriting of files, surprising users and making unintended persistence more likely.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation criteria are extremely broad, including almost any mention of crypto analysis, market intelligence, token analysis, or blockchain research needs. This can cause the skill to trigger in contexts where the user did not explicitly request this framework, leading to unintended instruction injection into unrelated conversations and over-application of the skill's workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The component explicitly instructs the agent to write a file into the workspace and then delete the `.scratch` file, but it does not require explicit user notification or confirmation for those filesystem mutations at the time of execution. In an agent setting, silent writes and deletions can cause unintended data loss, surprise side effects, and weaken user control over local artifacts, especially if the workspace contains important intermediate research context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow instructs the agent to write an output file but does not present a clear user-facing disclosure or consent step before persistence. That can lead to silent storage of generated material in the workspace, which is a security and privacy concern, especially in multi-step research environments where users may assume the action is ephemeral.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The workflow explicitly instructs the agent to write a file into the workspace outputs directory without requiring user notice or confirmation that local workspace state will be modified. While the target path appears constrained and intended for normal operation, silent file creation can still surprise users, overwrite prior artifacts depending on naming behavior, or violate least-surprise expectations in agent environments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly instructs the agent to create a workflow output directory and clone a scratch template into a hidden file, but it does not require notifying the user or obtaining consent before modifying workspace state. In an agent setting, silent file creation changes user data and can violate expectations about read-only research behavior, especially because the skill is framed as analysis rather than filesystem management.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The source-selection step tells the agent to scan workspace outputs and documents and, in autonomous mode, to auto-load relevant sources silently. That creates a confidentiality and transparency risk because prior outputs or documents may contain sensitive information, and the user is not warned that the skill may ingest them automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delivery step directs the agent to write final outputs to the workflow output path, verify success, and then delete the scratch file, all without any required warning or approval. Silent writes and deletions are dangerous because they alter and remove workspace artifacts, which can lead to loss of auditability or accidental destruction of intermediate context the user may want to inspect.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation shows a remote MCP configuration that embeds the Exa API key directly in the command URL query string. Secrets placed in URLs are prone to exposure through shell history, process listings, logs, crash reports, proxy telemetry, and copied configuration files, making unintended credential disclosure significantly more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The orchestrator explicitly creates, updates, persists, and deletes workspace state files as part of normal operation, but the spec does not require any user-facing disclosure or confirmation before modifying local state. In an agent setting, silent state mutation can surprise users, overwrite prior context, or create retention/privacy issues, especially because the session file persists across workflows and the scratch file is deleted automatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions call for deletion of `outputs/{workflow-id}/.scratch` when discarding a previous workflow, but there is no explicit warning that a file will be removed or that resumable state may be lost. Even though `.scratch` is presented as temporary, deleting workflow artifacts without clear notice can cause data loss and break user expectations around recoverability.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly instructs the agent to append validated findings to `.scratch` as part of normal operation, but provides no requirement to inform the user, obtain consent, or constrain what may be persisted. In a collaborative crypto-research context, checkpoints may include sensitive user-provided insights, proprietary research notes, or investment theses, so silent file writes create a real confidentiality and data-governance risk.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The guide explicitly recommends Gemini's `BLOCK_ONLY_HIGH` safety filter, which weakens default safeguards and normalizes minimal content filtering without contextual justification. In a general-purpose image prompting guide, that advice can lead downstream users or agents to generate content under reduced safety constraints, increasing the chance of policy-violating, harmful, or abusive outputs.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The template hard-codes Vietnamese as the default output language and instructs preserving English only selectively, which can override or bias the agent away from the user's explicit language preference. In an interactive research skill, this creates a specification-level prompt injection risk because downstream outputs may ignore user intent, reduce usability, and distort content translation decisions in ways the user did not request.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The workflow description and trigger language are broad enough that this brainstorm session could activate for many loosely related requests, increasing the chance of unintended invocation. In a crypto research skill, over-broad triggering is more dangerous because it may route users into persuasive or investment-adjacent ideation flows without sufficient scoping, guardrails, or user intent confirmation.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The template hard-codes Vietnamese as the base language and instructs the agent to maximize Vietnamese output without requiring user preference or consent. This can override user intent, cause unexpected behavior, and create prompt-priority conflicts, but it is primarily a quality/safety issue rather than a direct security exploit.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The template hard-codes Vietnamese as the default output language without indicating that language should be selected based on the user's request or explicit preference. In an agent setting, this can override user intent, degrade reliability, and create prompt-behavior misalignment that downstream workflows may silently propagate.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The template hard-codes Vietnamese as the output language and instructs preserving English only in limited cases, without checking the user's preferred language or documenting why locale restriction is necessary. In an agent setting, this can override user intent, degrade reliability, and cause unsafe or misleading outputs if users assume responses will match their requested language.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The template hard-codes Vietnamese as the base language and instructs preservation/translation behavior without any user choice, which can override a user's preferred language and reduce transparency about how outputs are transformed. In an investment-research workflow, this can cause misunderstanding, omitted nuance, or unintended prompt steering, especially when technical, legal, or financial details are translated by default.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The template hard-codes Vietnamese as the base language and directs preservation/translation behavior without any user opt-in. This can override user preferences or upstream system expectations, causing unauthorized output shaping and reducing reliability in multilingual or compliance-sensitive contexts.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The template hard-codes Vietnamese as the default output language and instructs preserving English only when necessary, without any user-choice or opt-in mechanism. This can override user preferences or upstream system expectations, creating instruction-priority conflicts and increasing the risk of unsafe or unusable outputs in multilingual contexts.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The template hard-codes Vietnamese as the base language and instructs maximal Vietnamese output without any user opt-in or fallback. This can override user preferences or higher-level application expectations, causing confusing or inaccessible responses and reducing reliability, though it is not a direct code-execution or data-exfiltration issue.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal