ClawHub

Miraix Wallet Roast

Security checks across malware telemetry and agentic risk

Overview

This is a small wallet-analysis skill that sends user-provided Solana wallet addresses to Miraix public APIs, with privacy and financial-output caveats but no hidden execution or persistence.

Install only if you are comfortable sending Solana wallet addresses you provide to Miraix for analysis and share-card generation. Do not provide seed phrases, private keys, exchange credentials, or treat returned rebalance/swap text as automatically safe to execute.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs the agent to transmit the user's wallet address to a third-party public API without any explicit notice, consent step, or privacy warning. While a wallet address is public on-chain, linking it to a live user request and sending it to an external service still creates a privacy and data-sharing risk, especially because the service can log addresses, IPs, timing, and request metadata.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Enabling implicit invocation without trigger constraints allows the platform to auto-select this skill in loosely related conversations, which can cause wallet-analysis behavior to run when the user did not explicitly request it. In a crypto context, unexpected invocation can expose wallet addresses, produce financial guidance-like output, or generate branded share links without clear user intent, increasing privacy, trust, and misrouting risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal