ClawHub

Crypto Genie

Security checks across malware telemetry and agentic risk

Overview

Crypto Genie appears purpose-built for crypto scam checks, but it can send checked addresses to Etherscan and store decoded transaction data despite local-only and no-storage claims.

Install only if you are comfortable with checked crypto addresses being stored locally and, for unknown addresses, sent to Etherscan using your API key. Avoid using it for sensitive investigations unless you disable or isolate network sync, treat decoded transaction messages as untrusted text, and rotate any API key that may have appeared in logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation materially conflicts with the stated 'No external API calls during checks' safety claim by describing a built-in architecture that relies on a background worker pulling data from Etherscan. Even if the user-facing check path is DB-only, this is still an external data flow that can mislead users and reviewers about network behavior, trust boundaries, and data exposure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This section presents Etherscan API access as a core component while the skill metadata claims no external API calls during checks, creating a deceptive or at least incomplete security posture. Such inconsistencies can cause operators to deploy the skill under false assumptions about privacy, egress controls, and compliance requirements.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README and metadata make a strong claim of 'No external API calls during checks,' but the documented behavior clearly says unknown addresses trigger real-time Etherscan syncs. This is a security-relevant documentation integrity issue because users may rely on the false privacy/network assumption when checking sensitive addresses.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README claims 'No Telemetry' and emphasizes local processing, yet elsewhere documents sending data and API credentials to external services such as Etherscan and ChainAbuse. Even if this is not classic telemetry, it is still outbound data transfer that can mislead users about privacy exposure.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation says unknown addresses are automatically added to a sync queue, while other examples suggest convenience-script behavior that may sync immediately. Conflicting behavior descriptions are dangerous because users cannot reliably predict whether a lookup is passive or whether it will trigger storage and eventual network activity.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims local-only processing, no telemetry, and a database-first design, yet the included components and stated dependencies mention Etherscan sync, API-key storage, and ChainAbuse API usage. Such contradictory security claims can cause users to overtrust the tool and expose wallet-related data or operational metadata to third parties without informed consent.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script contradicts the skill's stated 'No external API calls during checks' guarantee by triggering a live sync path when an address is absent from the local database. This is dangerous because users and orchestrators may rely on the documented offline/local-only behavior for privacy, determinism, policy compliance, or sandboxing, yet the script can unexpectedly initiate network activity and process untrusted remote data via downstream Python components.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The address-check workflow depends on an externally supplied API credential to perform synchronization, which means a nominally simple check operation can access network resources whenever the environment is configured. In security-sensitive agent environments, this increases the attack surface by coupling routine validation to secret-bearing external access and can violate least-privilege or data-handling expectations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata and module comments promise database-only checks with no external API calls, but the actual control flow performs live explorer-backed synchronization whenever an address is absent from the local database. This mismatch is security-relevant because users and host systems may rely on the no-network claim for privacy, policy enforcement, or sandboxing decisions, causing sensitive wallet addresses to be disclosed externally under false pretenses.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
Describing the tool as a 'Database-Only Checker' while implementing real-time external synchronization is a deceptive capability disclosure issue. In a cryptocurrency safety assistant, wallet addresses can be sensitive investigation targets, so hidden outbound requests materially increase privacy and trust risk and can violate operator expectations about isolated execution.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code silently retrieves an API key and uses it to enable third-party explorer synchronization despite the surrounding promise of database-only operation. This expands the trust boundary to an external service and introduces hidden credentialed network activity, which is dangerous in environments that prohibit outbound calls or expect transparent data handling.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The metadata conflicts with the stated guarantee of 'No external API calls during checks!' by explicitly advertising background Etherscan synchronization and Etherscan-related functionality. Even if the external access is deferred to a worker, this discrepancy can mislead reviewers and users about the skill's network behavior, reducing informed consent and potentially hiding data egress or trust-boundary expansion.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The worker makes live outbound requests to Etherscan, which contradicts the skill's stated 'No external API calls during checks' safety property. In a security tool, this matters because users may rely on offline/local-only behavior for privacy, determinism, or policy compliance, and queried wallet addresses are transmitted to a third party.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The changelog includes a cron example that embeds an API key directly in the command line (`ETHERSCAN_API_KEY="key" python3 sync_worker.py ...`). Secrets placed in shell history, process listings, screenshots, copied docs, or shared cron configs are easier to leak than secrets stored in protected environment files or secret managers. In this skill's context, the risk is elevated because the file is giving operational setup guidance that users may copy verbatim into production automation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The design stores decoded transaction messages, risk metadata, and blockchain-derived analysis locally without any notice about retention, sensitivity, or operator responsibilities. Even though blockchain data is often public, decoded messages and aggregated profiling can create privacy and compliance issues, especially when retained indefinitely or inspected outside user expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatically queueing user-supplied addresses for later background sync means user input is eventually transmitted to Etherscan, but the documented behavior omits any warning or consent mechanism. This creates an undisclosed outbound data flow that can surprise users and violate assumptions implied by the 'local only' messaging.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation does not place a clear warning at the point of use that checking an unknown address will initiate live Etherscan requests. That omission can cause unintended disclosure of user interest in particular blockchain addresses or workflows.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The auto-invocation examples are broad ('Check if 0x... is a scam', 'Is this address safe') and the workflow implies automatic queuing on first sight. Without strict trigger constraints, normal chat content containing blockchain addresses could cause unintended local storage or downstream sync activity against remote services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The docs do not prominently warn that checking an unknown address causes it to be stored locally and queued for later network sync. For a security-oriented skill handling wallet identifiers, silent persistence and deferred transmission are privacy-relevant behaviors that users should know before invoking the tool.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The manifest explicitly advertises an "Auto-queue system - unknown addresses queued automatically" without defining user-consent requirements, scope limits, or conditions under which queuing occurs. In a security-focused crypto skill, automatic handling of user-supplied blockchain data can trigger unintended background processing, persistence, or follow-on network activity, which expands attack surface and may surprise users or downstream agents.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The feature "Convenience script - auto-sync on first check" indicates automatic execution of sync behavior tied to a check operation, but the manifest does not specify trigger constraints, exclusions, or user approval. Because the skill also references Etherscan sync and local storage, this can cause implicit background actions such as network access, data collection, or longer-running tasks when a user expects only a local safety check.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When an address is not found locally, the code proceeds to sync it externally without a clear warning at the call site that the queried wallet address will be sent to a third-party scanner. Blockchain addresses may be sensitive in investigative or operational contexts, so undisclosed sharing can leak user interests, targets, or internal workflows.

Missing User Warnings

Low
Confidence
80% confidence
Finding
Accessing an API key without any user-facing disclosure is a weaker but still valid transparency issue because it obscures that authenticated external services are involved in the analysis path. By itself this is lower impact than the hidden address transmission, but it contributes to misleading operation and makes it harder for operators to assess credential exposure and policy compliance.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installer creates a virtual environment, upgrades pip, installs dependencies, and changes file permissions while suppressing most output and without explicit user confirmation. In a security-sensitive crypto-related skill, silent environment modification increases supply-chain and transparency risk because users may not notice what was installed, whether dependency resolution changed, or whether installation failed in a meaningful way.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code prints a prefix of the Etherscan API key to the console during startup, exposing credential material in logs, terminals, or monitoring systems. Even partial secrets aid fingerprinting, correlation across environments, and accidental disclosure, especially in shared CI/CD or managed logging setups.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal