ClawHub

Odds Movement Monitor 赔率异动监控

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but its built-in billing code can charge a SkillPay identity from the environment without a clear user confirmation flow.

Review this before installing. It is a paid sports-odds monitoring skill, and the included SkillPay code can attempt a 0.01 USDT charge when invoked by the runtime or caller. Confirm which SKILLPAY_USER_ID will be used, whether the host requires explicit approval before each charge, and whether the embedded SkillPay API key has been rotated or replaced with a safer platform-managed credential.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script prepends a path under the user's home directory to sys.path, causing imports to resolve from a user-controlled location outside the skill package. That can load unexpected or tampered Python modules if the directory contents are modified, creating a code execution and supply-chain style risk when the demo is run.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The module pulls a user identity from an environment variable even though the skill's advertised purpose is odds monitoring, not identity-aware billing. In an agent/runtime environment, environment variables may contain sensitive or platform-scoped identifiers, and binding charges to them without explicit consent or provenance checks can enable privacy leakage, misbilling, or unauthorized correlation across sessions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file implements charging and payment-link generation that are outside the core odds-monitoring behavior described for the skill, which increases supply-chain and user-trust risk. Hidden monetization logic can trigger external calls, charge users unexpectedly, and create a misleading mismatch between declared functionality and actual behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README exposes very broad natural-language trigger phrases such as monitoring all matches or detecting abnormal movement without defining clear activation boundaries, confirmation requirements, or scope limits. In an agent setting, this can cause unintended invocation, over-broad data collection, or execution on ambiguous user requests, especially because the skill is framed as a real-time monitoring system with batch capability.

Vague Triggers

Medium
Confidence
72% confidence
Finding
The skill description does not define clear activation scope or trigger constraints, so it may be invoked in broader contexts than intended. For a tool with implied network access, payment integration, and possible persistence, ambiguous activation conditions increase the chance of accidental use, surprise billing, or unintended external requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code accesses a user identifier from an environment variable without clear disclosure, which is risky in shared agent environments where users may not expect hidden collection of runtime identifiers. This can undermine transparency, create privacy issues, and facilitate silent linking of activity to a stable identifier that is then transmitted to a third party.

Unpinned Dependencies

Low
Category
Supply Chain
Content
aiohttp>=3.8.0
requests>=2.28.0
Confidence
93% confidence
Finding
aiohttp>=3.8.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
aiohttp>=3.8.0
requests>=2.28.0
Confidence
93% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: aiohttp — 10 advisory(ies): CVE-2024-52303 (aiohttp has a memory leak when middleware is enabled when requesting a resource ); CVE-2026-34514 (AIOHTTP has CRLF injection through multipart part content type header constructi); CVE-2026-34517 (AIOHTTP has late size enforcement for non-file multipart fields causes memory Do) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
aiohttp

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal