ClawHub

MistTrack Skills

Security checks across malware telemetry and agentic risk

Overview

The AML features are mostly coherent, but the skill also bundles wallet-key handling and crypto payment signing that users should review carefully.

Install for MistTrack AML checks only if you understand the payment module. Prefer MISTTRACK_API_KEY for normal read-only use, avoid x402 unless necessary, never use a production wallet key, avoid --auto and auto_pay=True, and use a dedicated low-balance wallet if pay-per-use access is required.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises significant capabilities including environment access, file read/write, network access, and shell execution, yet does not declare permissions. This creates a trust and containment gap: an agent platform or reviewer may assume the skill is lower risk than it really is, while the documented workflows include executing scripts, reading local key files, and making outbound requests. In this context, the undeclared capabilities are more dangerous because the package can touch sensitive material and initiate payment-related operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is described primarily as a MistTrack AML/risk-analysis tool, but the documented behavior includes broader non-MistTrack multisig analysis plus x402 payment handling, reading private keys from local files, and signing blockchain payment authorizations. That mismatch can mislead operators into granting trust or integrating the skill for read-only analytics when it also contains transaction-signing and payment capabilities, increasing the chance of accidental key exposure or unintended on-chain actions. The cryptocurrency context makes this especially sensitive because even limited signing/payment behavior can directly cost funds.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This reference document materially expands the skill from AML/risk-analysis into payment-protocol implementation and execution guidance. In an agent skill context, that scope drift is dangerous because it can cause an analysis-oriented agent to discover, configure, or participate in payment flows and blockchain interactions that users did not explicitly authorize.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The text explicitly directs MistTrack users to use payment scripts for x402-protected endpoints, which turns a nominally investigative/AML skill into one that may initiate value transfer. In agent environments, instructions that bridge from documentation to executable payment workflows increase the likelihood of unauthorized spending or unsafe automation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file implements a cryptocurrency payment client and transaction-signing workflow, including EIP-3009 and Solana partial signing, which is materially outside the stated purpose of a read-oriented MistTrack AML/risk analysis skill. In this context, adding payment authorization capability creates a high-risk path for fund movement and broadens the attack surface far beyond data lookup or investigation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code reads a private key from disk and then uses it downstream for blockchain signing, which grants the skill the ability to authorize token transfers. For an AML/risk-analysis skill, secret key handling is unnecessary and dangerous because compromise of the tool, inputs, or operator workflow could lead directly to unauthorized fund movement.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The generic HTTP 402 flow automatically parses server-provided payment instructions, prepares a signed payment payload, and retries the request with proof of payment. In a skill whose declared purpose is analysis rather than payments, this creates an unnecessary capability for remote endpoints to solicit on-chain payment attempts and increases the chance of misuse or operator error.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documentation explicitly states that private keys must only be provided via a protected key file and that inline secrets should be avoided, but the inline Python example then accepts a raw private key string and enables `auto_pay=True`. This contradiction normalizes unsafe secret handling and automatic transaction signing, increasing the chance that downstream users embed wallet keys in code, logs, notebooks, or agent memory and authorize payments without meaningful user approval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to place a raw private key in a local file and only mentions filesystem permissions, without clearly warning that this key directly authorizes spending and could be stolen via malware, backups, shell history mistakes, or accidental disclosure. In a cryptocurrency payment context, normalizing plaintext private key handling materially increases the chance of wallet compromise and fund loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The client example automatically retries a request with an `X-Payment` header after receiving a 402 response, without an explicit warning, confirmation step, or spend-validation guard. In practice, this normalizes autonomous payment behavior and could lead an agent or developer to send real blockchain payments to an untrusted endpoint based only on server-provided instructions.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The script sends a user-supplied wallet address to the Safe Transaction Service, which is a third-party endpoint, without any explicit notice or consent flow. While a wallet address is often public blockchain data, querying it can still disclose user investigative intent, correlate activity with the caller's IP address, and create privacy leakage to external services.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The TRON analysis path transmits the user-provided address to TronGrid, a public third-party API, without clearly warning the user. Even though the address itself may be public, the lookup can reveal what address the user is investigating and link that interest to network metadata such as source IP and timing.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Trust Wallet trigger condition is described broadly enough that it could activate in routine code-generation or transaction-handling contexts without strong scoping constraints. In a wallet or agent environment, over-broad activation can cause unintended interception of benign workflows, incorrect AML gating, or unexpected security decisions on user actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation authorizes automatic ALLOW/BLOCK behavior and whitelist-based auto-allow decisions, but it does not consistently require prominent user-facing disclosure before a transfer is interrupted or silently permitted due to heuristic trust decisions. In financial-transfer contexts, hidden enforcement or silent bypass logic can create unsafe UX, compliance disputes, and user harm if classifications are wrong or stale.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal