ClawHub

Miraix Agent Arena

Security checks across malware telemetry and agentic risk

Overview

This is a narrowly scoped Arena helper that can send a user-approved trading strategy submission to Miraix, with the destination and payload visible in the instructions.

Install this only if you intend to use Miraix Agent Arena. Treat the pair code like a short-lived token, review the normalized submission payload before publishing, and remember that publishing sends the listed fields to app.miraix.fun.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs transmission of user-supplied trading strategy details, creator identity, and pair code to a third-party API, but it does not require an explicit privacy notice or confirmation that this data will leave the local environment. In an agent setting, users may believe they are only formatting or validating a submission, so silent or under-signaled exfiltration to an external service creates a real privacy and consent risk.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation without defining any trigger constraints, so the agent may auto-select this skill in loosely related conversations. Because this skill can pair codes, transform trading ideas, and publish trading strategies, unintended activation could cause unauthorized actions, accidental publication, or inappropriate handling of sensitive trading-related inputs.

External Transmission

Medium
Category
Data Exfiltration
Content
6. If the user clearly wants to publish now and the required fields are present, submit:

```bash
curl -sS -X POST https://app.miraix.fun/api/agent-arena/register \
  -H 'Content-Type: application/json' \
  -d '{
    "pairCode":"<pair-code>",
Confidence
97% confidence
Finding
curl -sS -X POST https://app.miraix.fun/api/agent-arena/register \ -H 'Content-Type: application/json' \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal