ClawHub

Crypto Market Analysis

Security checks across malware telemetry and agentic risk

Overview

The skill’s market analysis purpose is legitimate, but it needs review because it can automatically install an unpinned Python package and alter the local Python subprocess environment.

Review before installing. The Binance data access is public and purpose-aligned, but only use this skill if you are comfortable with it automatically installing TA-Lib into a hard-coded Anaconda Python environment. Safer use would preinstall a pinned TA-Lib dependency in an isolated environment and disable runtime package installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
else:
            print("TA-Lib not found. Attempting to install TA-Lib...", file=sys.stderr)
            # Use pip to install TA-Lib. Use the explicit Python executable.
            subprocess.run([PYTHON_EXECUTABLE, "-m", "pip", "install", "TA-Lib"], check=True, capture_output=True)
            print("TA-Lib installed successfully.", file=sys.stderr)
            return True
    except subprocess.CalledProcessError as e:
Confidence
97% confidence
Finding
subprocess.run([PYTHON_EXECUTABLE, "-m", "pip", "install", "TA-Lib"], check=True, capture_output=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities that require network, shell, and environment access, but does not declare any permissions or constraints. This is dangerous because users and the platform cannot accurately assess or sandbox the skill's real execution surface, especially when combined with package installation and subprocess environment control.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is market analysis, but the implementation reportedly also installs TA-Lib at runtime via pip and modifies subprocess environment variables such as PYTHONPATH, PYTHONHOME, and PYTHONSTARTUP. Runtime package installation and execution-environment manipulation significantly expand the attack surface, enabling supply-chain risk, unexpected code execution paths, and behavior not reasonably implied by the stated function.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
A market-analysis skill should not need to install software dynamically during normal operation. Runtime installation is dangerous because it silently expands the skill's capabilities, changes the host state, and introduces supply-chain risk from externally fetched packages, which is especially concerning in an agent environment where users do not expect software management side effects.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill spawns Python and pip subprocesses even though its declared purpose is only crypto market analysis. In the skill context, this makes the behavior more dangerous because the execution capability is broader than necessary and can be abused to run arbitrary local tooling or alter the environment if adjacent controls fail.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code copies the full host environment into subprocesses and then augments `PYTHONPATH` and `PYTHONHOME`. This is risky because secrets or sensitive execution context present in environment variables may be exposed to child processes unnecessarily, and altered Python import paths can unintentionally load untrusted modules from inherited locations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal