ClawHub

Rising Transfers — Transfer Intel

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed football transfer lookup skill that sends player or club search terms to one stated API provider and does not include hidden code or local-data access.

Install only if you are comfortable sharing football player and club search terms with Rising Transfers and using your RT_API_KEY for authenticated requests. Watch credit usage for detailed lookups and Truth Meter checks, and disable skill auto-discovery if you want to approve each lookup manually.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill explicitly allows autonomous invocation for broad transfer-news queries, which can cause user prompts containing player and club names to be sent to a third-party service without a clear per-request consent boundary. While the transmitted data is relatively low sensitivity, the trigger scope is broad enough to increase the chance of unintended external disclosure and surprise network activity.

External Transmission

Medium
Category
Data Exfiltration
Content
| Endpoint | Method | Data Sent | Purpose |
|----------|--------|-----------|---------|
| `https://api.risingtransfers.com/api/v1/intelligence/hot-topics` | GET | None | Trending transfers (free, 0 credits) |
| `https://api.risingtransfers.com/api/v1/intelligence/transfer` | POST | `{ "name": "<player_name>" }` | Player transfer rumour detail (3 credits) |
| `https://api.risingtransfers.com/api/v1/intel/verify` | GET | `?q=<player>+to+<club>` | Truth Meter credibility score (1–5 credits) |

No data is sent to any other endpoint. No conversation history is transmitted.
Confidence
82% confidence
Finding
https://api.risingtransfers.com/

External Transmission

Medium
Category
Data Exfiltration
Content
|----------|--------|-----------|---------|
| `https://api.risingtransfers.com/api/v1/intelligence/hot-topics` | GET | None | Trending transfers (free, 0 credits) |
| `https://api.risingtransfers.com/api/v1/intelligence/transfer` | POST | `{ "name": "<player_name>" }` | Player transfer rumour detail (3 credits) |
| `https://api.risingtransfers.com/api/v1/intel/verify` | GET | `?q=<player>+to+<club>` | Truth Meter credibility score (1–5 credits) |

No data is sent to any other endpoint. No conversation history is transmitted.
Confidence
80% confidence
Finding
https://api.risingtransfers.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Call:
```
POST https://api.risingtransfers.com/api/v1/intelligence/transfer
Headers:
  X-RT-API-Key: <RT_API_KEY>
  Content-Type: application/json
Confidence
84% confidence
Finding
https://api.risingtransfers.com/

External Transmission

Medium
Category
Data Exfiltration
Content
Call:
```
GET https://api.risingtransfers.com/api/v1/intel/verify?q=<player>+to+<club>
Headers: X-RT-API-Key: <RT_API_KEY>
```
Confidence
84% confidence
Finding
https://api.risingtransfers.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal