ClawHub

HYRE DeFi Intelligence

Security checks across malware telemetry and agentic risk

Overview

This DeFi skill is mostly transparent about using a paid external analytics service, but it includes an unsafe autonomous trading pattern that could lead to financial loss without clear user approval.

Review this skill carefully before installing. Use it only for explicit DeFi analytics requests, confirm any paid x402 USDC call before it is made, and do not allow it to place trades or run polling bots unless you have separate trading safeguards, budgets, and manual approval controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description and activation guidance are broad enough to trigger on generic requests about trading signals, new tokens, whale tracking, or DeFi data, which can cause the agent to invoke a paid external service outside a narrowly scoped user intent. In this context, overbroad routing is risky because the skill is financial and payment-backed, so mistaken activation can lead to unnecessary external data transmission and paid actions.

Missing User Warnings

High
Confidence
95% confidence
Finding
The documented trading bot pattern explicitly recommends polling for new tokens and auto-buying when a model returns signal="snipe" and confidence>0.7, without any warning, human approval gate, or financial risk disclosure. In a DeFi trading skill, this is especially dangerous because it normalizes autonomous speculative purchases based on third-party AI output, which can cause immediate financial loss or unsafe trading behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal