ClawHub

Social Sentiment Monitor 社媒舆情监控

Security checks across malware telemetry and agentic risk

Overview

This paid crypto sentiment skill is not clearly malicious, but it should be reviewed because it advertises live monitoring while generating simulated data and includes an under-scoped billing path.

Install only if you are comfortable treating this as a paid simulator/prototype, not reliable live market intelligence. Verify SkillPay charges and identity handling with the publisher before use, do not rely on its outputs for trading or incident decisions, and start the daemon only intentionally because it can keep running and write local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
返回: {"ok": bool, "balance": float, "payment_url": str|None}
    """
    try:
        resp = requests.post(
            f"{BILLING_API_URL}/api/v1/billing/charge",
            headers=HEADERS,
            json={
Confidence
98% confidence
Finding
resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions, yet its documented behavior clearly requires environment access, file read/write, and network access. This under-declaration weakens transparency and consent boundaries, making it easier for a user or platform to invoke a skill with capabilities they did not expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond social sentiment monitoring and includes external billing actions, automatic charging, balance checks, recharge-link generation, and use of a hardcoded API key. This is dangerous because it introduces undisclosed financial side effects and secret-handling risks unrelated to the stated purpose, creating a strong possibility of unauthorized charges or data exfiltration to a third-party payment service.

Description-Behavior Mismatch

High
Confidence
100% confidence
Finding
The file implements hidden billing enforcement for a skill whose declared purpose is social-media sentiment monitoring, indicating functionality that is unrelated to user expectations and the advertised capability. This mismatch is dangerous because it can conceal monetization, exfiltration of identifiers, and forced charge attempts under the guise of benign analytics tooling.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill reads payment identity from an environment variable and uses it for external billing actions unrelated to sentiment analysis. This is risky because environment variables are weak identity signals, can be misconfigured or manipulated, and may cause charges or account operations against the wrong user.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring claims the function only verifies whether payment has already occurred, but the implementation actually attempts to charge the user. This mismatch is dangerous because it misleads reviewers and callers, increasing the chance of unintended charges and concealing side effects in a function that appears read-only.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
`verify_fud` presents itself as a真实性验证 function, but it fabricates results using random values instead of checking any evidence. In a social-sentiment monitoring skill, this can mislead users into treating rumors as confirmed or dismissing real warnings as false, directly distorting risk decisions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
`monitor_token` claims to monitor token-related negative information, but it only processes internally generated mock posts, so the output does not reflect real social-media conditions. In this skill's context, that is dangerous because users may rely on fake alerts or false reassurance when making trading, communications, or incident-response decisions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This module is described as a real-time KOL monitoring tool, but the implementation fabricates posts, engagement, accuracy scores, and sentiment using hardcoded templates and random values. In a crypto sentiment-monitoring context, presenting synthetic data as real observations can mislead users into making financial or operational decisions based on false market signals, making the deception materially dangerous.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The report function fetches newly simulated posts at report time and then prints them as if they were actual recent KOL statements and analytics. Because this skill is meant for social sentiment monitoring in cryptocurrency markets, the report output can create false urgency, fabricated sentiment shifts, and fake token mentions that users may trust as live intelligence.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The function presents itself as generating a real social sentiment report, but all core metrics are fabricated with random values. In a crypto-monitoring context, users could rely on false data for trading, risk assessment, or reputation monitoring, making this materially misleading and potentially harmful.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module documentation claims this is a sentiment report generator for real monitoring, while the implementation only simulates outputs. This mismatch increases the risk that operators or downstream agents will treat mock analytics as trustworthy intelligence.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code emits investment-oriented recommendations such as holding, taking profit, building positions, and buying during panic, despite having no real market or sentiment basis. In a crypto setting, ungrounded financial advice can directly influence user decisions and amplify losses.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file claims to analyze social-media sentiment, but `fetch_social_data` fabricates posts, sentiment scores, engagement, and follower counts using `random` instead of collecting real platform data. In the context of a crypto monitoring skill, presenting simulated outputs as if they reflect real market sentiment can mislead users into making financial decisions based on false information.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The skill metadata promises real-time monitoring, hotspot tracking, KOL tracking, and negative-sentiment detection, but the implementation only produces local random data and derives reports from it. This mismatch is security-relevant because it creates deceptive operational behavior: downstream users or agents may trust fabricated analytics as actionable intelligence in a high-risk crypto context.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file is described as a real-time social-media monitoring tracker, but the implementation only fabricates outputs using hard-coded samples and random values. In a crypto-monitoring context, this can mislead users or downstream agents into acting on false market sentiment, creating operational and financial risk even without classic code-execution behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The behavior throughout the main tracking functions does not match the manifest's claimed capability of real-time social-media monitoring and analysis; it returns synthetic data for trending topics, keyword tracking, viral content, and sentiment. In this skill's context, false analytics are particularly dangerous because users may rely on them for crypto trading, reputational monitoring, or alerting decisions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The billing request sends user identifiers and initiates charge actions without clear user-facing disclosure in the code path shown. In an unrelated skill, silent transmission and charging behavior materially increase the risk of deceptive billing and privacy violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill reads a user identifier from an environment variable and sends it to external billing endpoints without clear disclosure or evidence of verified identity binding. This can expose private identifiers and cause incorrect billing if the environment is manipulated or stale.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation lists sensitive tokens, API keys, chat IDs, and webhook URLs in a `.env` example without any warning about secret handling, rotation, or keeping them out of source control. In a skill that integrates with multiple third-party services, this normalizes unsafe credential practices and increases the chance that operators will hardcode or accidentally commit live secrets, leading to account compromise or unauthorized data access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal