ClawHub

Dune Analytics API

Security checks across malware telemetry and agentic risk

Overview

This Dune Analytics skill is legitimate in purpose, but it needs review because it can use a Dune API key to make persistent remote changes and expose public Dune artifacts without strong confirmation safeguards.

Install only if you are comfortable giving the skill access to a Dune API key with permissions to run queries, consume credits, upload local files, and modify Dune resources. Require explicit confirmation before public query creation, saved-query updates, CSV overwrites, table clears/deletes, or uploads of sensitive local files; prefer private resources and append-style uploads for important data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares required environment variables and bundled files but does not expose an explicit permission model, so an agent may gain access to sensitive inputs and local reference content without clear user-facing authorization boundaries. This is risky because the skill can read secrets like DUNE_API_KEY and local files, and the broad trigger scope increases the chance it is invoked in contexts where that access was not intended.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The script exposes an update_sql command that can modify remote Dune query definitions, which is a state-changing capability beyond read-only analytics. In an agent skill context, this is risky because a user or upstream prompt could trigger unintended modification of a saved query, causing integrity loss or disruption of dashboards and downstream consumers.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger text is unusually broad and instructs use for many generic blockchain and analytics topics, even when the user does not explicitly mention Dune. That can cause unintended invocation of a credentialed skill in unrelated requests, expanding the attack surface and enabling unnecessary access to the Dune API key, file references, and destructive operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that upload_csv overwrites existing data, but the surrounding guidance and examples do not require a confirmation step before destructive use. In an agent setting, that creates a realistic risk of accidental data loss or table corruption if the skill is invoked automatically or with ambiguous user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly recommends falling back from a private query to a public query when the account plan does not support privacy, which can expose SQL, parameters, and potentially sensitive analysis artifacts without requiring an explicit informed user decision. In a blockchain analytics skill, queries may embed wallet addresses, investigation targets, proprietary logic, or other sensitive context, so silent public creation creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The update_sql path performs a remote write immediately with no pre-action warning, dry-run, or confirmation, making accidental or prompt-induced changes easy. In an agent setting, the absence of friction before a destructive action materially increases the chance of unauthorized or mistaken updates to persisted SQL.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal