ClawHub

Whale Alert Monitor 大户监控

Security checks across malware telemetry and agentic risk

Overview

This paid crypto-monitoring skill needs review because it presents random simulated data as live whale-alert intelligence and has under-scoped billing and notification behavior.

Install only if you are treating this as a demo or prototype. Do not rely on its alerts, balances, exchange-flow reports, or PnL output for trading, compliance, or security decisions unless the publisher replaces the random generators with verified live data sources. If testing it, use disposable notification credentials, verify webhook destinations, avoid sensitive wallet targets, and require an explicit billing confirmation flow before any charge is attempted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
返回: {"ok": bool, "balance": float, "payment_url": str|None}
    """
    try:
        resp = requests.post(
            f"{BILLING_API_URL}/api/v1/billing/charge",
            headers=HEADERS,
            json={
Confidence
97% confidence
Finding
resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Tainted flow: 'webhook_url' from os.getenv (line 200, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
'embeds': [embed]
            }
            
            response = requests.post(webhook_url, json=payload, timeout=10)
            if response.status_code == 204:
                logger.info("✅ Discord通知已发送")
            else:
Confidence
92% confidence
Finding
response = requests.post(webhook_url, json=payload, timeout=10)

Tainted flow: 'webhook_url' from os.getenv (line 200, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
'timestamp': datetime.now().isoformat()
            }
            
            response = requests.post(webhook_url, json=payload, timeout=10)
            if response.status_code == 200:
                logger.info("✅ Webhook通知已发送")
        except Exception as e:
Confidence
96% confidence
Finding
response = requests.post(webhook_url, json=payload, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises and demonstrates capabilities that require environment access, file I/O, and network access, yet it declares no permissions. This creates a transparency and consent problem: users and hosts cannot accurately assess what the skill may access or transmit before execution, increasing the chance of over-privileged or unexpected behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented skill purpose is wallet and exchange-flow monitoring, but the analyzed behavior includes external billing operations such as payment verification, automatic charging, payment-link generation, and use of a hardcoded billing API key. Hidden monetization and undeclared third-party billing expand the trust boundary and can expose users to unauthorized charges, secret leakage, or outbound data sharing unrelated to the core monitoring function.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The metadata declares required payment credential handling via environment variables and a third-party billing provider, even though the skill’s stated purpose is whale-wallet monitoring and alerting. Introducing payment-related secrets expands the attack surface and creates unnecessary access to sensitive credentials that could be exposed, misused, or leveraged for unauthorized billing if the surrounding platform or skill implementation is compromised.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a full third-party billing and paywall mechanism even though the skill is described as a whale-alert monitoring assistant. This mismatch is dangerous because it introduces unexpected monetization behavior and external data transfer capabilities unrelated to the advertised function, a common sign of deceptive or unauthorized functionality.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill reads an environment-based user identity solely for billing purposes, which is not justified by the monitoring functionality described to users. This expands the skill's access to sensitive runtime context and can enable silent correlation or billing actions without user awareness.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The docstring says the function verifies whether the user has already paid, but the implementation calls charge_user and attempts to deduct funds immediately. This misleading naming and documentation can hide billing side effects from reviewers and integrators, increasing the risk of accidental or unauthorized charges.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
The code exposes a generic webhook notification channel even though the declared skill scope emphasizes Telegram and Discord notifications. This scope expansion matters because it introduces an extra external-transmission path that can be used for data exfiltration or policy bypass, especially in an agent skill where users may assume only documented integrations are present.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file presents itself as an exchange fund-flow monitor, but `fetch_flow_data` fabricates random transactions rather than collecting real blockchain or exchange data. In a trading-alert skill, this can mislead users into acting on false signals, undermining trust and potentially causing financial loss through incorrect decisions or bogus alerts.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function claims to calculate PnL history but instead fabricates profit by assigning every sell a positive return. In a whale-monitoring and portfolio-analysis skill, this can materially mislead users about wallet performance, accumulation/distribution behavior, and trading success, causing bad operational or investment decisions.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code advertises fetching wallet trade history but ignores the provided address and generates random trades instead. In the context of a real-time whale-alert monitoring skill, this is dangerous because it can produce false reports, false alerts, and fabricated behavioral analysis for arbitrary wallets while appearing authoritative.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This code claims to monitor large on-chain transfers, but `fetch_recent_transfers` generates random synthetic data instead of querying a blockchain node, indexer, or API. In a financial alerting skill, this is dangerous because users may make trading, compliance, or operational decisions based on fabricated alerts or miss real whale movements entirely.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises whale-wallet monitoring and analysis, but the core transaction feed is fabricated with random data rather than sourced from blockchain APIs or node data. In a financial-monitoring context, this can mislead users into acting on false alerts, false accumulation/distribution signals, and nonexistent exchange flows.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The wallet balance used in reports is randomly generated, so the reported ETH holdings and downstream interpretation of whale behavior are false. Because this skill is positioned as a crypto intelligence tool, inaccurate balance reporting can directly distort trading decisions, risk assessments, and user trust.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file presents itself as a whale tracker while the implementation relies on simulated data, creating a deceptive mismatch between stated purpose and actual behavior. In a trading and alerting context, this raises the risk that users or downstream agents treat fictional outputs as actionable intelligence.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes real-time Telegram/Discord/Webhook notifications but does not clearly warn that monitored wallet activity, alert metadata, or derived analysis may be transmitted to external services. This omission can lead users to unknowingly send potentially sensitive monitoring data to third-party platforms or misconfigured webhooks, causing privacy, confidentiality, or operational exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code accesses SKILLPAY_USER_ID from the environment to identify who should be billed, but there is no meaningful user-facing disclosure or consent mechanism. In this skill context, that hidden identity access is more dangerous because billing is unrelated to the advertised whale-monitoring behavior and may surprise both users and hosts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document includes environment variable examples for API keys, bot tokens, project secrets, chat IDs, and webhook URLs, but does not warn users to keep these secrets out of source control, logs, and client-side code. In a monitoring skill that depends on external APIs and notification channels, this omission increases the chance of accidental credential leakage, which could enable abuse of paid APIs, unauthorized notifications, or compromise of integrated services.

External Transmission

Medium
Category
Data Exfiltration
Content
'timestamp': datetime.now().isoformat()
            }
            
            response = requests.post(webhook_url, json=payload, timeout=10)
            if response.status_code == 200:
                logger.info("✅ Webhook通知已发送")
        except Exception as e:
Confidence
90% confidence
Finding
requests.post(webhook_url, json=

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal