ClawHub

Defi Intelligence Skill

Security checks across malware telemetry and agentic risk

Overview

This DeFi skill is mostly coherent, but it exposes paid external calls and irreversible wallet-affecting actions without enough scoping or confirmation safeguards.

Install only if you trust the gateway operator and are comfortable sending wallet-related data and an API key to that service. Treat write endpoints as high risk: require explicit human approval, verify chain, recipient, token amounts, allowances, and slippage out of band, and avoid arbitrary contract/write calls unless you fully understand the transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents shell-based invocation of a networked script but declares no permissions, which creates a transparency and governance gap. Users or hosting platforms may treat the skill as lower risk than it is, even though it can reach external services and invoke paid remote actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The top-level description presents the skill as an intelligence/read-oriented tool, but the file also exposes state-changing operations: swap execution and arbitrary contract writes. That omission can mislead users into invoking a skill they believe is read-only when it can spend assets or submit irreversible blockchain transactions.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The script materially contradicts the declared DeFi skill by acting as a generic research gateway client, including endpoints for web and paper search. This scope mismatch is dangerous because it can cause users or upstream agents to send prompts, wallet-related context, or API credentials to an unexpected third-party service under a misleading DeFi label.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The inline documentation openly describes a 'deep-research gateway caller,' which conflicts with the advertised DeFi identity and increases the risk of deceptive or unintended data flow. In an agent setting, mislabeled capabilities can lead operators to approve execution they would not otherwise permit, especially when external network access and payment flows are involved.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The usage examples show broad research/web-search behavior that is not justified by the stated DeFi purpose, enabling off-scope exfiltration of user-supplied queries to a third-party gateway. This is more dangerous in a wallet/DeFi context because users may assume only market or on-chain data is being queried, not arbitrary web research requests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Wallet profiling, balances, transaction history, NFT holdings, and DeFi positions all involve sending user-linked blockchain addresses and portfolio data to an external gateway. Without an explicit privacy warning, users may unknowingly expose sensitive financial intelligence, which can enable profiling, surveillance, or data retention by third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents destructive or irreversible blockchain actions—executing swaps and writing contracts—without a strong confirmation requirement or explicit warning about asset loss, approvals, slippage, and permanent on-chain effects. In this context, the danger is elevated because these actions directly affect wallets and funds, not just external data retrieval.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends the request body and optional bearer token to a remote service immediately, without any user-facing confirmation, redaction, or policy check. In an agent environment, this can leak sensitive prompts, wallet data, search terms, or API credentials to an external endpoint that may not match user expectations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal