Crab

Security checks across malware telemetry and agentic risk

Overview

This Web3 research skill is mostly purpose-aligned, but it needs Review because it makes broad environment changes, stores reusable local credentials, saves investigation reports, and sends sensitive research targets to external services without enough upfront scoping or user control.

Review before installing. Use this only if you accept a global npm-installed browser tool, local Crab credentials in `~/.config/crab`, saved reports under `~/.crab-catch/reports`, and transmission of research targets to Crab/Grok/GitHub/on-chain services. Avoid using it on authenticated wallet, exchange, account, or confidential investigation pages unless you have explicit authorization and are comfortable with those data flows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill declares no permissions while its documented behavior clearly requires shell execution, network access, and use of environment/local state. This undermines least-privilege review and can cause the host to grant broader capabilities than users expect, especially since the skill also installs tools and performs authenticated API access.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill is presented as a research/reporting tool, but its behavior includes generating persistent secp256k1 credentials, exposing reusable auth headers, and converting repositories into local aggregated content. That mismatch is dangerous because users may authorize a low-risk research workflow without realizing it creates credentials and persistent artifacts that can be reused or abused outside the immediate task.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The documented behavior writes reports and an index file to disk despite being described as a research/reporting skill without prominent disclosure of persistent storage. Persistent local data can expose sensitive investigation targets, user queries, and derived intelligence to other local users, backup systems, or later compromise of the host.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Requiring a global npm install and execution at session start modifies the host environment beyond what many users would expect from a research skill. Global installation increases supply-chain and persistence risk because it changes shared system state and may introduce a compromised package or unintended binaries into the user's PATH.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill writes PDF reports and an index into the user's home directory without clear up-front warning in the skill description. Silent writes to a predictable location can leak potentially sensitive research subjects and outputs, and create unwanted persistence that survives the session.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill explicitly instructs the agent to take actions that can create local files (`screenshot`, `pdf`) and interact with remote pages (`click`, `fill`, `press`) without any safety guidance about side effects, destination paths, sensitive data handling, or accidental form submission. In a browser-automation skill used for web research, this omission is meaningful because agents may operate on untrusted sites where clicks, keypresses, or file writes can trigger unintended transactions, submissions, downloads, or persistence of sensitive content.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs the agent to send contract addresses, wallet addresses, and related blockchain query parameters to third-party endpoints, but it does not disclose this off-platform transmission or its privacy implications. While these identifiers are often public on-chain, tying them to a user's investigation targets, watchlists, or research workflow can still leak sensitive operational intent and metadata to the service operator.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill routes user-supplied Twitter/X queries to an external service at `https://crab-skill.opsat.io`, but the documentation does not warn users that their inputs may be transmitted off-platform. In a Web3 research context, those queries can reveal sensitive investigative targets, trading interests, or client research topics, creating confidentiality and privacy risk even if the endpoint is otherwise legitimate.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal