ClawHub

Whale Alert Monitor 鲸鱼监控

Security checks across malware telemetry and agentic risk

Overview

This paid crypto monitoring skill is presented as live whale and exchange-flow intelligence, but its core scripts generate simulated financial data while also supporting billing and external notifications.

Review carefully before installing. Treat this as a paid demo or simulator unless the publisher replaces the random data paths with verified live data sources. Do not rely on its alerts, balances, exchange-flow reports, or PnL output for trading decisions, and only configure notification webhooks or chat channels that you control and expect to receive wallet and transaction metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (23)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
返回: {"ok": bool, "balance": float, "payment_url": str|None}
    """
    try:
        resp = requests.post(
            f"{BILLING_API_URL}/api/v1/billing/charge",
            headers=HEADERS,
            json={
Confidence
97% confidence
Finding
resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Tainted flow: 'webhook_url' from os.getenv (line 200, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
'embeds': [embed]
            }
            
            response = requests.post(webhook_url, json=payload, timeout=10)
            if response.status_code == 204:
                logger.info("✅ Discord通知已发送")
            else:
Confidence
89% confidence
Finding
response = requests.post(webhook_url, json=payload, timeout=10)

Tainted flow: 'webhook_url' from os.getenv (line 200, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
'timestamp': datetime.now().isoformat()
            }
            
            response = requests.post(webhook_url, json=payload, timeout=10)
            if response.status_code == 200:
                logger.info("✅ Webhook通知已发送")
        except Exception as e:
Confidence
93% confidence
Finding
response = requests.post(webhook_url, json=payload, timeout=10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises only a monitoring use case, yet static analysis detected environment, file read/write, and network capabilities without any declared permissions. Undeclared capabilities reduce transparency and allow sensitive actions such as exfiltrating local data, modifying files, or accessing secrets from environment variables without clear user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose is whale-transfer monitoring, but the detected behavior expands into billing actions, recharge-link generation, outbound notifications to third-party channels, portfolio/PnL analysis, and exporting configuration and wallet data to local files. This mismatch is dangerous because users may authorize the skill for market monitoring while it also handles payments, transmits data externally, and persists sensitive wallet-related information beyond the stated scope.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill's stated purpose is whale-tracking, yet it reads a user identifier from the environment for billing. This hidden capability expands data access beyond user expectations and creates a trust boundary problem, especially because environment variables are not a reliable authenticated identity source.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file implements monetization and recharge behavior rather than the advertised whale-alert functionality. That mismatch is dangerous because users and reviewers may grant access expecting market analysis while the code performs unrelated billing actions, increasing the chance of deceptive behavior and unauthorized charges.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
This code supports outbound notifications to Telegram, Discord, and custom webhooks using environment-provided credentials and endpoints, which expands the skill from local monitoring into external data transmission. In the context of a whale-alert skill, Telegram/Discord alerting is plausible, but the unrestricted custom webhook materially increases the risk surface and should be treated as a real capability mismatch.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The function explicitly generates random mock fund-flow records while the skill metadata and surrounding code present the capability as real exchange-flow and whale monitoring. In a financial monitoring skill, this can mislead users into making trading or risk decisions based on fabricated data, which is a security-relevant integrity issue even though it is not a classic code-execution flaw.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file-level description and reporting output describe the tool as a monitoring system, but the implementation only produces simulated results. This mismatch increases the chance that operators or downstream agents will trust the output as live intelligence, enabling deception and potentially harmful financial decisions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function claims to fetch wallet trade history for a supplied address, but it ignores the address and generates random simulated trades instead. In a crypto monitoring skill, this can mislead users into acting on fabricated portfolio and whale-activity data, undermining trust and potentially causing financial decisions based on false information.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The PnL history logic hardcodes every sell as a 10% profit rather than computing realized gains from actual cost basis. This produces systematically false profitability reports, which is especially risky in a financial-analysis skill where users may rely on PnL trends to assess trader sophistication or copy trading strategies.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata promises whale tracking, large-transfer alerts, and exchange flow analysis, but this file only performs local simulated holding analysis and simple pattern detection. This functionality mismatch is dangerous because it can create a false impression of live intelligence and monitoring coverage in a high-stakes financial context.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The function advertised as fetching recent transfers actually fabricates random data, so the skill can present fake whale alerts as if they were real on-chain activity. In a crypto-monitoring skill, this is dangerous because users may make trading or operational decisions based on false signals, creating a material integrity and fraud risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill description promises exchange fund-flow analysis, but the implementation only performs simple threshold-based alerts and contains no exchange attribution or flow-analysis logic. This mismatch can mislead users into overtrusting the output and making decisions under the false assumption that exchange-specific intelligence was performed.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The docstring states that recent transfers are fetched, but the code generates fabricated mock transfers instead. Misrepresenting simulated data as fetched data undermines transparency and can conceal that the tool is non-functional or deceptive in production use.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill advertises real whale-wallet and exchange-flow monitoring, but `fetch_transactions` fabricates transaction history with random values instead of retrieving on-chain data. In a financial monitoring context, this is dangerous because users may act on false market intelligence, creating direct monetary risk and undermining trust in the platform.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The wallet analysis assigns `current_balance_eth` using a random number rather than computing or fetching the real balance. Because the skill is positioned as a crypto decision-support tool, presenting fabricated balances can mislead users about whale holdings and accumulation/distribution behavior, potentially causing harmful trading decisions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly promotes outbound notification channels such as Telegram, Discord, and generic webhooks, and shows use of Telegram bot credentials, but provides no warning that wallet activity, alert contents, and metadata may be transmitted to third-party services. In a monitoring skill, this can expose sensitive trading intelligence, tracked addresses, and operational metadata to external platforms or misconfigured endpoints, increasing privacy and data-leak risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code accesses a user-identifying environment variable without meaningful user-facing notice beyond an internal comment. Hidden collection and transmission of identifiers to an external payment service can violate privacy expectations and make users unaware of account-linked billing behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The daemon forwards alert content to Telegram/Discord channels automatically, including wallet fragments, transaction hash, token, and value, without an explicit consent gate or transmission warning at the point of use. In a monitoring skill, this can leak sensitive operational intelligence or financial activity metadata to third-party services or misconfigured channels, especially if notifications are enabled in config by default or by a copied sample config.

External Transmission

Medium
Category
Data Exfiltration
Content
'embeds': [embed]
            }
            
            response = requests.post(webhook_url, json=payload, timeout=10)
            if response.status_code == 204:
                logger.info("✅ Discord通知已发送")
            else:
Confidence
87% confidence
Finding
requests.post(webhook_url, json=

External Transmission

Medium
Category
Data Exfiltration
Content
'timestamp': datetime.now().isoformat()
            }
            
            response = requests.post(webhook_url, json=payload, timeout=10)
            if response.status_code == 200:
                logger.info("✅ Webhook通知已发送")
        except Exception as e:
Confidence
92% confidence
Finding
requests.post(webhook_url, json=

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal