ClawHub

MetEngine Data Agent

Security checks across malware telemetry and agentic risk

Overview

This market-data skill is mostly coherent, but it asks agents to auto-update themselves from a remote URL, persist wallet-related state, and handle payment signing material.

Review carefully before installing. Do not enable the cron auto-update; only update the skill manually after reviewing the new file. Use a dedicated low-balance Solana wallet, set spending limits outside the skill where possible, and avoid letting the agent store or reuse wallet-related memory or bootstrap code without your explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read a cross-session local memory file containing wallet configuration and operational state before making any API call. For a read-only analytics API, this expands scope into local file access and persistence, increasing risk of unintended data exposure or use of unrelated sensitive local context.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The mandated creation and continuous updating of a persistent memory file after setup and after every API call is unnecessary for the stated analytics purpose. This creates durable local state containing wallet metadata, endpoint history, and bootstrap details that could leak user activity patterns or be repurposed by later instructions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill directs agents to periodically download and overwrite the local skill file via curl and cron, effectively enabling remote self-modification. This allows future behavior changes from a remote source without review, turning a static skill into a moving trust boundary and increasing supply-chain risk.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The bootstrap code instructs agents to ingest a private key from an environment variable to sign payments, which introduces sensitive credential handling beyond simple API consumption. Even if needed for payment, embedding raw key use in general-purpose skill instructions raises the chance of key misuse, accidental exposure, or insecure reuse across contexts.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill's wallet security guidance says not to read or store key material broadly, but the later example directly consumes a private key from an environment variable. This contradiction can mislead implementers into unsafe handling patterns and undermines the credibility of the security guidance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires persistent storage of wallet configuration, package state, endpoint history, and bootstrap code without clearly warning about privacy and retention consequences. This can cause silent cross-session accumulation of sensitive operational data that users may not expect a market analytics skill to keep.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The recommended automated weekly curl overwrite changes the skill's behavior based on remote content without a clear warning that future instructions may materially differ from the reviewed version. That is a prompt-supply-chain hazard, especially because the skill content is itself executable guidance for agents.

Ssd 3

Medium
Confidence
94% confidence
Finding
The persistent memory design directs the agent to keep cross-session logs of wallet paths, public addresses, bootstrap code, and endpoint history. Even without private keys, this is sensitive operational metadata that can reveal user identities, infrastructure layout, and repeated activity over time.

Ssd 3

Medium
Confidence
95% confidence
Finding
The memory template and update rules formalize ongoing collection of wallet metadata, working client code, and per-call history in a durable local file. This increases the blast radius of any local compromise and creates an unnecessary inventory of sensitive context for later prompts or tools to read.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal