Whale Alert Monitor 大户监控

Security checks across malware telemetry and agentic risk

Overview

This skill needs review because it advertises real crypto monitoring but mostly generates simulated financial data and includes direct billing code.

Review before installing or running. Do not rely on this for trading, compliance, or real monitoring unless the publisher replaces simulated data with documented live data sources, fixes daemon controls, removes or rotates the hardcoded billing key, and clearly explains when charges and third-party notifications occur.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 返回: {"ok": bool, "balance": float, "payment_url": str|None} """ try: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={
Confidence: 99% confidence
Finding: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Tainted flow: 'webhook_url' from os.getenv (line 200, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 'embeds': [embed] } response = requests.post(webhook_url, json=payload, timeout=10) if response.status_code == 204: logger.info("✅ Discord通知已发送") else:
Confidence: 92% confidence
Finding: response = requests.post(webhook_url, json=payload, timeout=10)

Tainted flow: 'webhook_url' from os.getenv (line 200, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 'timestamp': datetime.now().isoformat() } response = requests.post(webhook_url, json=payload, timeout=10) if response.status_code == 200: logger.info("✅ Webhook通知已发送") except Exception as e:
Confidence: 95% confidence
Finding: response = requests.post(webhook_url, json=payload, timeout=10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 85% confidence
Finding: The skill advertises executable capabilities involving environment access, file I/O, and network use, but does not declare permissions. This weakens user consent and platform enforcement because the skill can access credentials, local files, and external endpoints without those capabilities being clearly surfaced in metadata.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose is whale-wallet monitoring, but the finding indicates additional billing behavior including payment verification, balance checks, payment-link generation, and transmission of user_id/skill_id/amount to a third-party payment service. Hidden or under-disclosed monetization flows are dangerous because they can collect user data, trigger unexpected charges, or gate core functionality behind an external service the user did not knowingly authorize.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The manifest declares payment credential handling via environment variables and makes payment required, even though the skill's stated purpose is whale-wallet monitoring. This expands the skill's privilege and secret-handling surface unnecessarily, increasing the risk of credential misuse, unauthorized billing flows, or abuse if the skill or its surrounding infrastructure is compromised.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The file implements billing enforcement and remote charging behavior that is unrelated to the declared whale-alert monitoring purpose. Capability mismatch is dangerous in agent skills because users and reviewers expect crypto-monitoring logic, not hidden monetization code that can interrupt execution, exfiltrate identifiers, and charge accounts.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill reads SKILLPAY_USER_ID from the environment even though that capability is not justified by the stated monitoring purpose. In this context, accessing ambient runtime identity expands the skill's access to sensitive context and enables linking a user/session to a third-party billing provider without transparent user approval.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The function named and documented as payment verification actually calls charge_user, meaning a supposedly passive check can debit the user. This mismatch is especially dangerous because callers, reviewers, or integrators may invoke it expecting a safe verification step, causing unintended charges through deceptive semantics.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The function is documented and presented as fetching exchange flow data, but it actually generates random synthetic records. In a skill advertised for real-time whale/exchange monitoring, this can mislead users into making trading or alerting decisions based on fabricated data, which is a security-relevant integrity issue even without code execution or data exfiltration.

Description-Behavior Mismatch

Medium

Confidence: 99% confidence
Finding: The skill metadata promises real-time exchange fund-flow monitoring and alerts, but this file only performs local demo-style simulation using random values. In this context, the mismatch is more dangerous because users are likely to trust outputs as actionable market intelligence, causing false alerts, missed risk events, or financial harm from decisions based on nonexistent signals.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The function claims to calculate PnL history but instead hard-codes every sell as a 10% profit, which fabricates financial performance data. In a whale-monitoring and trading-intelligence context, users may rely on these metrics for investment decisions, so misleading analytics can cause real financial harm even though this is not a memory-corruption or code-execution issue.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The implementation presents itself as a transfer monitor but `fetch_recent_transfers` only fabricates random transactions, so alerts and reports are detached from real blockchain activity. In the context of a whale-alert skill, this can mislead users into acting on false market signals, creating operational and financial risk even though it is not a memory-safety issue.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module docstring states that it monitors large on-chain transfers, but the code does not do that and instead generates mock data. This documentation/behavior mismatch increases the chance that operators or downstream agents will trust fake alerts as genuine telemetry.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The function is documented and used as if it retrieves wallet transaction history, but it actually fabricates random transactions. In a security- or finance-adjacent monitoring skill, this can mislead users into acting on false intelligence, producing incorrect alerts, reports, and operational decisions.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill metadata promises real-time whale monitoring, exchange-flow tracking, alerts, and reporting, but the implementation only performs offline analysis on fabricated data and exports a local JSON file. This mismatch is dangerous because users may trust nonexistent monitoring coverage and make financial or investigative decisions based on false assumptions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill promotes Telegram/Discord/Webhook notifications but does not warn users that monitored wallet addresses, transaction details, or alert metadata may be sent to external services. In a crypto-monitoring context, this can expose sensitive intelligence about user watchlists, strategy, or operational interests to third parties.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The configuration example includes Telegram bot tokens, chat IDs, and Discord webhook settings without an explicit warning on credential handling and outbound data flow. This encourages unsafe operational use, especially if users store secrets in plaintext config files or overlook that notifications send monitoring data to third-party endpoints.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code reads a user identifier from an environment variable and transmits it to an external billing service without any prior disclosure in this file. This creates a privacy and trust violation because users of a whale-alert monitoring skill would not reasonably expect hidden transfer of their identity to a billing backend.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document includes real secret-bearing environment variable names for API keys, bot tokens, chat IDs, and webhook URLs but provides no warning about secret handling, rotation, or avoiding commits to source control. In a monitoring skill that depends on external APIs and outbound notifications, this increases the chance that operators will place live credentials in .env files and accidentally expose them through repositories, logs, screenshots, or support bundles.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal