ClawHub

Fía Signals

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto market-data API wrapper; users should understand that queries go to Fía Signals and premium endpoints may lead to x402 payment flows.

Install only if you are comfortable sending crypto lookup inputs such as wallet addresses, contract addresses, token symbols, and chain names to Fía Signals. Review premium endpoint pricing before following x402 payment links, and do not provide private keys, seed phrases, wallet passwords, or unrelated sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and documents executable shell scripts that make network requests, but the manifest does not declare corresponding permissions. This creates a trust and review gap: users or the platform may assume the skill is passive documentation while it can actually invoke shell and external network access, which can enable unintended data exfiltration, remote calls, or payment-triggering behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README prominently lists paid commands and per-call prices, but it does not clearly warn users that simply invoking those commands will trigger real micropayment-backed requests and spend funds. In an agent skill context, users may treat command examples as safe to run during testing, so the lack of an explicit spending warning increases the risk of unintended financial charges.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal