ClawHub

31Third Safe Rebalancer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate 31Third Safe rebalancing skill, but it can automatically submit real portfolio trades and send portfolio planning data to 31Third, so it should be reviewed carefully before installation.

Install only if you intend this skill to submit real trades for the configured Safe. Use an executor wallet with limited authority, never provide the Safe owner private key, run smoke/check-drift/plan-only workflows first, review what portfolio data is sent to 31Third, and consider adding an operator confirmation step before enabling rebalance_now in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The ABI exposes privileged administrative capabilities such as addPolicy, removePolicy, setExecutor, and setCooldown that materially exceed the stated purpose of a 'policy-aware safe portfolio rebalancing assistant'. Even if these functions are access-controlled on-chain, surfacing them through the skill broadens the operational scope and can mislead users or higher-level agents into invoking governance-changing actions under the guise of routine rebalancing.

Context-Inappropriate Capability

High
Confidence
87% confidence
Finding
The exposed addPolicy and removePolicy functions allow mutation of the policy registry, which directly changes the security constraints governing trade execution. In the context of a rebalancing assistant, this is dangerous because weakening or replacing policies can silently bypass intended safety checks before subsequent trades are executed.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The exposed addPolicy and removePolicy functions allow mutation of the policy registry, which directly changes the security constraints governing trade execution. In the context of a rebalancing assistant, this is dangerous because weakening or replacing policies can silently bypass intended safety checks before subsequent trades are executed.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The ABI clearly exposes privileged oracle administration functions such as setFeed(address,address) and clearFeed(address), which are broader than a narrowly scoped portfolio rebalancing assistant would typically require. In the context of a rebalancing skill, bundling owner-controlled feed mutation increases risk because a compromised or misused owner path can silently alter pricing dependencies and cause incorrect portfolio decisions or downstream asset loss.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Including the ability to mutate oracle/feed configuration inside a package described as a 'safe portfolio rebalancing assistant' creates dangerous capability creep. If this capability is reachable by the agent, operator, or an attacker who gains privileged access, they could repoint feeds to malicious or incorrect sources, corrupt valuations, and drive harmful or manipulative rebalancing actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill sends wallet and portfolio-related data including safeAddress, signerAddress, baseEntries, and target allocations to an external planning SDK/service via planRebalancingWithSdk. In a security-sensitive trading skill, undisclosed third-party transmission of holdings and intended allocation data creates privacy, metadata leakage, and trust-boundary risks, especially because the returned plan is later used to drive execution.

Missing User Warnings

High
Confidence
96% confidence
Finding
rebalance_now performs a full live workflow from drift check to planning to on-chain execution without any inline confirmation gate, explicit dry-run requirement, or user acknowledgement in the execution path. Because this skill controls an executor wallet and can submit real transactions, misuse, accidental invocation, or prompt-level confusion could cause unauthorized or unintended asset trades.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The function sends wallet, signer, chain ID, allocation targets, and base asset holdings to an external 31Third API endpoint. Even if this is expected product behavior, it is still a real privacy and data-governance risk because sensitive portfolio metadata leaves the local/trusted execution boundary without any visible consent, minimization, or alternative local-only path in this file.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function sends sensitive portfolio metadata to a third-party API, including wallet and signer addresses, target allocations, and optionally balance-derived base entries. Even if this is required for the SDK feature, there is no evidence in this code of explicit user consent, minimization, or alternate local-only planning, so it creates a real privacy and operational data exposure risk.

External Transmission

Medium
Category
Data Exfiltration
Content
}
export async function planRebalancingWithSdk(input) {
    return calculateRebalancing({
        apiBaseUrl: 'https://api.31third.com/1.3',
        apiKey: input.apiKey,
        chainId: input.chainId,
        payload: {
Confidence
93% confidence
Finding
https://api.31third.com/

External Transmission

Medium
Category
Data Exfiltration
Content
export async function planRebalancingWithSdk(input: SdkPlanInput): Promise<RebalancingResponse> {
  return calculateRebalancing({
    apiBaseUrl: 'https://api.31third.com/1.3',
    apiKey: input.apiKey,
    chainId: input.chainId,
    payload: {
Confidence
87% confidence
Finding
https://api.31third.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal