ClawHub

valuescan-skill-beta

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ValueScan crypto analytics skill that uses disclosed API credentials to query market-data endpoints, with no artifact-backed malicious behavior.

Install only if you are comfortable storing a ValueScan API key and secret locally and allowing the skill to use API credits for crypto market-analysis queries. Ask for clarification on vague market questions if you want to avoid unexpected fund-flow or sentiment calls, and do not treat the results as financial advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The notes define very broad natural-language triggers such as '异动', '上涨机会', and '看涨代币', which are common phrases in ordinary crypto discussion and can cause the skill to invoke this endpoint when the user did not explicitly ask for this specific data source. In an agent setting, overly broad routing increases the chance of unintended tool use, misleading outputs, and poor query isolation, especially in a high-risk financial decision context.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The note says natural-language requests about market sentiment may invoke this endpoint and pair it with real-time fund-flow data, but it does not define boundaries, exclusions, or user-confirmation requirements. In an agent setting, this can cause over-broad tool activation from ambiguous prompts, leading to unnecessary token-gated API calls, unintended data access patterns, or surprising multi-tool behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal