ClawHub
Back to skill

Security audit

Miraix Meme Court

Security checks across malware telemetry and agentic risk

Overview

This crypto-trading helper is mostly transparent, but it needs review because it can run implicitly, uses default trade inputs, and sends wallet and trade details to a third-party service.

Review before installing. Use it only if you are comfortable sending wallet and trade parameters to Miraix, provide your own wallet and budget explicitly, and treat outputs as informational rather than financial advice. Inspect any unsigned payload carefully in your wallet before signing anything.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill enables implicit invocation while describing activation in broad natural-language terms such as helping shortlist Solana meme candidates and approve trades. That creates a real risk of the agent invoking this skill in loosely related conversations, which is especially dangerous because the skill concerns financial decision support and trade preparation, where mistaken activation could influence user actions or prepare trading payloads without sufficiently explicit user intent.

External Transmission

Medium
Category
Data Exfiltration
Content
2. Run the desk:

```bash
curl -sS https://app.miraix.fun/api/meme-rotation-desk \
  -H 'Content-Type: application/json' \
  -d '{
    "walletAddress":"<wallet-address>",
Confidence
87% confidence
Finding
curl -sS https://app.miraix.fun/api/meme-rotation-desk \ -H 'Content-Type: application/json' \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
then call:

```bash
curl -sS https://app.miraix.fun/api/meme-rotation-desk/prepare \
  -H 'Content-Type: application/json' \
  -d '{
    "walletAddress":"<wallet-address>",
Confidence
92% confidence
Finding
curl -sS https://app.miraix.fun/api/meme-rotation-desk/prepare \ -H 'Content-Type: application/json' \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
8. If the user gives an `orderId` and wants status, run:

```bash
curl -sS https://app.miraix.fun/api/meme-rotation-desk/order-status \
  -H 'Content-Type: application/json' \
  -d '{
    "orderId":"<order-id>"
Confidence
81% confidence
Finding
curl -sS https://app.miraix.fun/api/meme-rotation-desk/order-status \ -H 'Content-Type: application/json' \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal