ClawHub

Base Stable Arb Radar

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto market monitoring tool that reads public market data, stores local state, and can optionally send alerts, but it does not sign or execute trades itself.

Install only if you are comfortable with a crypto monitoring tool that makes external RPC and price API requests, writes local state/cache files, and may produce unsigned transaction calldata. Do not configure a webhook you do not control, and independently verify any manual-fire payload before using it in a real signing workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises itself without declared permissions even though its described surfaces imply environment access, file reads/writes, and outbound network use. This undermines informed consent and sandboxing because operators may install a supposedly simple read-only skill that can persist data locally and send data over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose emphasizes read-only monitoring, but the described behavior extends to local state persistence, continuous monitoring loops, arbitrary webhook delivery, and third-party HTTP calls. This mismatch is dangerous because users may grant trust based on a narrow monitoring description while the skill actually creates broader data egress, persistence, and automation surfaces that can be abused or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill advertises itself as 'read-only', but it writes persistent cache/state files and can send outbound webhook notifications. This creates a capability mismatch that can mislead operators, causing unanticipated data persistence and network egress in environments that may assume passive observation only.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The ClawHub star prompt is unrelated to the stated scanning function and introduces extraneous operator-directed behavior. While not directly exploitable code execution, this kind of promotional side effect is a trust and integrity issue because it conditions users to act on nonessential instructions emitted by security-sensitive tooling.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The README does not clearly define when the skill should be invoked, whether it is intended for one-shot scans versus continuous monitoring, or what guards limit activation. Ambiguous invocation scope can lead to unintended long-running polling, repeated outbound requests, unnecessary file writes, and accidental triggering in contexts where the operator expected a passive or manual-only tool.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Webhook notifications include detailed profit data and a ready-to-run command string, and they are sent to an arbitrary configured URL without strong disclosure or minimization. This can leak sensitive trading intelligence and operational instructions to third parties, especially if the webhook endpoint is misconfigured, compromised, or controlled by an untrusted service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal