Whale Alert Monitor 大户监控

Security checks across malware telemetry and agentic risk

Overview

This paid crypto-monitoring skill is not clearly malicious, but it needs review because it can perform billing calls and presents simulated financial monitoring as if it were live intelligence.

Install only if you are comfortable with a paid SkillPay integration that may attempt per-use billing, and treat generated crypto reports or alerts as demo/simulated unless the publisher provides real, auditable data sources. Configure Telegram, Discord, and webhook endpoints carefully because alert details may be sent to third-party services, and keep API keys and bot tokens out of shared files or repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 返回: {"ok": bool, "balance": float, "payment_url": str|None} """ try: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={
Confidence: 97% confidence
Finding: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: def get_payment_link(user_id: str, amount: float = 5.0) -> str: """生成充值链接""" try: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/payment-link", headers=HEADERS, json={"user_id": user_id, "amount": amount},
Confidence: 84% confidence
Finding: resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/payment-link", headers=HEADERS, json={"user_id": user_id, "amount": amount}, timeout=10

Tainted flow: 'webhook_url' from os.getenv (line 200, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 'embeds': [embed] } response = requests.post(webhook_url, json=payload, timeout=10) if response.status_code == 204: logger.info("✅ Discord通知已发送") else:
Confidence: 93% confidence
Finding: response = requests.post(webhook_url, json=payload, timeout=10)

Tainted flow: 'webhook_url' from os.getenv (line 200, credential/environment) → requests.post (network output)

Critical

Category: Data Flow
Content: 'timestamp': datetime.now().isoformat() } response = requests.post(webhook_url, json=payload, timeout=10) if response.status_code == 200: logger.info("✅ Webhook通知已发送") except Exception as e:
Confidence: 98% confidence
Finding: response = requests.post(webhook_url, json=payload, timeout=10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill advertises and demonstrates capabilities that imply access to environment variables, local files, network services, and likely persistent configuration, yet it declares no permissions. This is dangerous because users and hosting platforms cannot accurately understand or constrain what the skill can access, increasing the chance of unintended secret exposure, file access, or outbound data transmission.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill's stated purpose is whale-wallet monitoring, but the analysis indicates hidden or undeclared billing behavior including per-use charging, querying user balance, generating payment links, contacting an external billing domain, and identifying users via an environment variable. This mismatch is security-relevant because it can cause undisclosed data sharing and financial actions outside user expectations, especially when tied to an external service.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The entire file implements billing/paywall enforcement even though the skill is ներկայացted as a whale-wallet monitoring assistant. This mismatch is dangerous because concealed monetization or payment-processing code inside an unrelated skill is a strong indicator of deceptive behavior and can lead to unauthorized charges or covert data transmission.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The code introduces payment-processing capability that is not necessary for wallet monitoring or alerting. In-context, this unjustified capability expands attack surface, enables user data transfer to a remote payment service, and suggests the skill may be doing more than users and reviewers expect.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The docstring claims verify_payment only checks whether a user has paid, but the implementation immediately calls charge_user and performs a billable action. Mislabeling a charging function as a verification step is dangerous because it can mislead reviewers, integrators, and users into triggering charges unintentionally.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill metadata declares Telegram and Discord notifications, but the code also exposes a generic webhook channel. That broader transmission capability increases the attack surface and allows data to be sent to arbitrary third-party endpoints outside the stated product scope.

Description-Behavior Mismatch

Medium

Confidence: 98% confidence
Finding: The function advertised as fetching exchange flow data does not query any real blockchain or exchange source and instead fabricates randomized records. In the context of a monitoring/alerting skill for whale and exchange-fund movement, this can mislead users into acting on false market signals, producing unsafe financial decisions and false alerts.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The module-level documentation describes a real exchange flow monitor, but the implementation is only a simulation. This mismatch is security-relevant because users or downstream agents may trust the component for real-time monitoring and generate alerts, reports, or trading decisions based on fabricated data.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The code labels outputs as wallet analysis while the underlying trade history and prices are explicitly simulated. In a crypto monitoring skill, this can mislead users into acting on fabricated whale activity, causing bad trading or operational decisions even though there is no direct code-execution risk.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The PnL history function claims to calculate historical PnL but actually credits every sell with a fixed profit, which can materially falsify performance reporting. In this skill's financial-analysis context, inaccurate profit signals are especially dangerous because users may rely on them for trading, alerting, or reputation judgments about a wallet.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill claims real-time whale and exchange monitoring, but the implementation fabricates random transfer events instead of consuming real blockchain or exchange data. In this context, users may make financial or operational decisions based on false alerts, which is a material integrity and trust failure rather than a harmless demo mismatch.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The module documentation presents the component as a genuine transfer monitor, but the implementation is only a simulator. Misrepresenting simulated behavior as live monitoring increases the risk that operators trust outputs they should treat as test data, especially in a financial-alerting skill.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The function explicitly generates simulated transactions, but downstream analysis, balances, pattern detection, and exported reports are presented in a way that resembles real wallet intelligence. In a financial-monitoring skill, this can mislead users into acting on fabricated market signals or believing monitoring coverage exists when it does not.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The skill metadata promises real-time whale monitoring, exchange flow tracking, threshold alerts, and notifications, but the implementation only generates local random data and produces a demo report. In this context, the mismatch is dangerous because users may rely on nonexistent monitoring and fabricated transaction intelligence for financial or operational decisions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill derives a user ID from an environment variable and uses it for automatic billing without a user-facing notice or confirmation. This is dangerous because users may be charged or have identifying information disclosed to a third party without meaningful awareness or consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The document enumerates sensitive environment variables for API keys, project secrets, bot tokens, chat IDs, and webhook URLs without any accompanying guidance on secret handling, rotation, access control, or avoiding commits to source control. In a monitoring skill that depends on third-party APIs and outbound notifications, this normalization of secret placement increases the chance that operators will hardcode or expose credentials, leading to account abuse, data leakage, or unauthorized alert delivery.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal