ClawHub

Lista

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Lista reporting skill, but it needs review because it stores wallet data locally and includes under-specified alert/subscription flows.

Install only if you are comfortable saving wallet addresses in ~/.lista and sending wallet/report queries to Lista services. Treat the reports as read-only analysis, never provide private keys or sign transactions through this skill, and do not rely on its Telegram/Discord alert or digest subscription confirmations unless a separate notification system is verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is advertised as report-style, read-only analysis, but it persists language preferences to local storage. That creates stateful side effects inconsistent with a read-only boundary and can violate least-privilege expectations for users and host environments. While lower risk than wallet storage, it still means the skill modifies the local filesystem without clear upfront consent.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to be read-only but instructs the agent to save and overwrite wallet addresses in ~/.lista/wallet.txt. Storing blockchain addresses is a privacy-sensitive side effect and breaks the documented routing boundary, increasing the chance of silent retention of user financial identifiers across sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Persistent storage of wallet addresses is not necessary to generate a lending report and is insufficiently justified by the stated purpose. Even if an address is public on-chain, local accumulation of user addresses enables tracking, cross-session profiling, and exposure to other local users or processes.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The document expands a read-only risk report into state-changing behavior by persisting threshold settings and enabling alert configuration. This creates capability drift: a user invoking a reporting skill could unintentionally modify long-lived local state or notification behavior, which is a real security and trust boundary issue even if not overtly malicious.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Push-notification setup introduces an outbound communication capability that is materially different from generating a position report. If activated unexpectedly, it can alter user notification state and potentially route financial-risk data to third-party channels without sufficiently clear consent boundaries.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the user that the wallet address will be saved locally but does not include a meaningful privacy and safety warning in the skill description or metadata. Users may not understand that a persistent local file will remain after the session and could be accessed by other software or users on the same machine.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill hardcodes output languages and subscription prompts in English and Traditional Chinese only, without adapting to the user's requested language or locale. This can cause misleading or inaccessible responses, create UX-driven security issues in consent flows, and increase the chance a user confirms subscriptions or misses important risk details because the prompt is not presented in a language they understand.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs the agent to fetch a wallet's lending positions and associated financial data without any requirement to notify the user, confirm ownership, or disclose what will be retrieved. In a DeFi assistant context, wallet activity and balances are sensitive financial metadata, and silent retrieval can expose private portfolio details or enable unintended surveillance if an arbitrary address is supplied.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The guidance says to always check ~/.lista/thresholds.json before computing risk, which directs the agent/tooling to read from the user's home directory without an explicit permission boundary. Accessing local files outside the skill's scoped workspace can disclose environment-specific or user-specific data and sets a risky precedent for filesystem access based on prompt instructions.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill hard-codes output to English or Traditional Chinese and requires strict template matching, without honoring the user's language preference. This can override user intent and system-level UX expectations, making the agent less transparent and potentially causing misleading or inaccessible responses for users who requested another language.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases for changing thresholds are broad enough that ordinary conversation could be interpreted as authorization to enter a state-changing workflow. In a financial assistant, ambiguous activation can lead to accidental persistent configuration changes that affect later reports and alerts.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation phrase for enabling alerts is vague and may match casual user language rather than a deliberate configuration request. Because this can initiate notification setup and future outbound messaging, ambiguous phrasing increases the risk of unintended enrollment.

Missing User Warnings

Low
Confidence
82% confidence
Finding
Although the text mentions that custom thresholds affect all reports, the flow does not require a strong pre-write warning immediately before persistence. Users may not appreciate that a one-time conversational action changes future report behavior across sessions, which can undermine informed consent and operational reliability.

Session Persistence

Medium
Category
Rogue Agent
Content
**Validation:** For each scenario, DANGER < WARNING <= SAFE. Reject and re-ask if violated.

After collecting, write to `~/.lista/thresholds.json`:

```json
{
Confidence
90% confidence
Finding
write to `~/.lista/thresholds.json`: ```json { "highLltv": { "danger": 0.005, "warning": 0.01 }, "lowLltv": { "danger": 0.05, "warning": 0.10 } } ``` Confirm to user: > **EN:** Thresholds sav

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal