ClawHub

Predict.fun MCP

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Predict.fun data connector that uses your Graph API key to query public market and wallet data, with quota and privacy cautions but no evidence of malicious behavior.

Install only if you want an agent to query Predict.fun through your own The Graph API key. Use a dedicated key with quota limits, monitor usage of custom GraphQL queries, and do not expose the optional SSE/HTTP server to untrusted networks without access control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares runtime requirements that include access to an environment variable (`GRAPH_API_KEY`) and makes outbound network requests to The Graph Gateway, but it does not expose an explicit permissions declaration for those capabilities. This creates a transparency and governance gap: users or hosting systems may not have a clear, enforceable statement of what the skill can access, increasing the risk of unintended secret exposure or unreviewed external communications.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The `query_subgraph` tool accepts an arbitrary user-provided GraphQL string and forwards it to external The Graph endpoints with the server's API key. This expands the skill from fixed analytics into a general-purpose remote query proxy, enabling unbounded data access, unexpected cost generation, and bypass of any intended tool-level restrictions described by the skill metadata.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
These meta-tools go beyond ordinary market-data retrieval and explicitly profile wallets into behavioral archetypes such as `whale_accumulator`, `yield_farmer`, and `resolution_sniper`, as well as scan the platform for matching traders. That creates a surveillance and deanonymization-style capability that can be used to target individuals, infer strategies, or enable downstream abuse, especially when combined with address-level history and position data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The `query_subgraph` tool exposes a generic pass-through for arbitrary user-supplied GraphQL to external The Graph endpoints. While it does not appear to enable direct code execution or mutation, it expands the skill beyond fixed analytics into unrestricted external query brokerage, which can be abused to trigger expensive queries, exfiltrate more data than intended by the curated tools, and consume the operator's paid API quota.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The tool transmits arbitrary user-supplied GraphQL directly to a remote API without warning, consent language, or controls on what may be sent. Because requests are executed server-side with the configured API key, users can cause external data transmission and paid API consumption that may not be obvious to operators or end users.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The custom query tool forwards raw user input directly to third-party GraphQL endpoints without validation, warning, or scoping. In this skill's context, that is especially risky because the Graph Gateway is authenticated with a billable server-side API key, so an untrusted user can cause unbounded external requests and potentially high-cost or abusive queries under the operator's account.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal