IEX Cloud CLI

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed IEX Cloud market-data helper that uses a token and curl to call IEX API endpoints, with no evidence of hidden persistence, exfiltration, or unrelated system access.

Install only if you intend to let the agent query IEX Cloud market data. Use a scoped or sandbox IEX token when possible, store it through OpenClaw secrets rather than plaintext config, and review any use of raw API paths before running production-token requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 83% confidence
Finding: The skill explicitly instructs users to run a local shell script and use environment-backed secrets, but it does not declare permissions corresponding to its shell and file-read capabilities. This creates a transparency and policy-enforcement gap: an agent or platform may allow the skill under the assumption that it is low-privilege, while it can actually invoke shell commands and access local files or environment-derived data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal