ClawHub

BTC Monitor TalentverseX

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent BTC/ETH market monitor with disclosed optional Discord posting and optional cron scheduling, with no artifact-backed evidence of hidden theft, destructive behavior, or deception.

Install in a virtual environment if possible. Enable Discord only for a channel where you intend the generated report to appear, using a least-privilege bot token. Run setup_cron.sh only if you want recurring background monitoring, review config.json schedule first, and remove the marked crontab entry if you later want to disable it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The documentation states that reports may optionally be sent to Discord but does not warn users that report contents will be transmitted to a third-party external service. While the report appears to contain market-monitor output rather than obvious secrets, external delivery can still expose operational details, configuration-derived content, or future sensitive additions if users enable it without understanding the data flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally installs or replaces a cron entry in the current user's crontab without any interactive confirmation. This creates persistence and changes the user's execution environment, which is security-relevant because running the setup script has side effects beyond the current session and could surprise users or be abused if the script is invoked in an unexpected context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal