ClawHub

Learn Moralis

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Moralis learning skill with no executable code or credential access, though users should treat its API-key and trading-bot examples as guidance for other tools rather than actions this skill can perform.

Safe to install as a learning/reference skill. Do not paste API keys into chat, and review any downstream Moralis Data API or Streams skill separately before granting it API-key, network, webhook, or file-write access. Treat the trading-bot examples as implementation ideas, not complete financial automation guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill manifest explicitly says this is a knowledge-only skill with no API key or environment-variable access, but the documentation tells users the skill will check for `MORALIS_API_KEY` and help create `.env`. That mismatch can mislead users and downstream orchestration into expecting secret handling or file modification behavior that the skill should not perform, increasing the risk of unsafe prompting around credentials and configuration.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description uses broad triggers such as 'what is Moralis', 'can Moralis do X', and other exploratory phrases that can easily appear in ordinary conversation. In agent environments with heuristic routing, overly broad invocation language can cause accidental activation, unexpected context switching, or inappropriate routing to this skill when the user did not intend to invoke it.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The behavior section allows activation on casual phrasing like 'learn moralis' without defining strict boundaries, which increases the chance of unintentional invocation. While this is not a direct code-execution issue, it can lead to prompt-routing confusion and cause the assistant to answer from the wrong skill context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal