ClawHub

aicade galaxy skills

Security checks across malware telemetry and agentic risk

Overview

This skill has a real AICADE Galaxy gateway purpose, but it can expose API keys and sensitive payment-related request data in logs and may overwrite a local .env file.

Install only if you specifically intend to use AICADE Galaxy. Do not enable AICADE_GALAXY_DEBUG with real credentials or sensitive requests, keep .env out of source control, review any existing .env before running bootstrap because it may be rewritten, and invoke only trusted artifacts exported from the intended AICADE Galaxy endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and instructs use of environment variables, filesystem reads/writes, network access, and shell execution, yet declares no explicit permissions or trust boundaries. This is dangerous because the host may grant or simulate these capabilities without clear user consent, enabling external API calls, local artifact creation, and command execution during install/activation.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
When debug mode is enabled, the script logs the full invocation input and output objects, which can include user-supplied payloads, service responses, and potentially sensitive business or personal data. In a monetization and payment-oriented skill, these payloads may contain API inputs, account identifiers, or commercially sensitive response data, so full-object logging increases the chance of unintended disclosure through stdout, CI logs, or agent telemetry.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script unconditionally prints the tool name and full payload to stdout for every invocation, even when debug mode is disabled. Because this skill is designed to call dynamic gateway services related to payments and monetization, request arguments may contain customer data, API parameters, wallet identifiers, or other sensitive transactional content that can leak into logs or calling environments.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains broad phrases such as 'ai payments', 'make money with ai', and 'api payment', which can match many ordinary conversations unrelated to this external platform. Overbroad activation increases the chance the skill is invoked unexpectedly, causing unsolicited network access, setup flows, or prompts for API credentials in contexts where the user did not intend to use AICADE Galaxy.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly directs bootstrap, export, and invocation flows that send requests to an external platform using an API key, but it does not prominently warn users that data and tool parameters may be transmitted off-platform. In this context, the skill also exports dynamic services from a remote gateway, which raises the risk of users unknowingly disclosing prompts, arguments, or environment-derived data to a third party.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
When debug mode is enabled, the code logs the full request headers object, which includes the X-API-Key value. Anyone with access to console output, CI logs, or shared terminal history could recover the credential and use it to access the AICADE Galaxy admin gateway. In this skill context, that is more dangerous because the script enumerates privileged gateway services from an /admin endpoint, so the leaked key may expose paid APIs and monetization tooling.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
When debug mode is enabled, the script logs the full outbound request headers, including the X-API-Key value. This can leak the API key into console output, CI logs, shell history capture, or centralized log collectors, enabling unauthorized use of the AICADE Galaxy gateway if those logs are accessed.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Printing the raw request payload to stdout can expose sensitive user inputs without consent or redaction. In this skill's context, arguments may relate to paid APIs, subscriptions, or blockchain/payment workflows, which makes leakage more concerning because operational, financial, or identity-linked data may be present in normal requests.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The debug logger serializes full input and output objects, which can reveal both sensitive requests and sensitive downstream service responses. Since this skill interfaces with external platform tools for monetization and payment-like workflows, response bodies may include account, billing, or other commercially sensitive data that should not be broadly logged.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
When AICADE_GALAXY_DEBUG=true, the script logs the full invocation payload before the request and the full result after the response. In this skill context, payloads and responses may contain API inputs, user data, payment-related information, or service outputs, so enabling debug mode can expose sensitive data to logs, terminals, CI systems, or shared agent telemetry.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest makes execution of the install step mandatory on first install or activation, but only describes it vaguely as configuring .env and exporting an artifact. A required bootstrap step with broad, underspecified behavior increases supply-chain risk because it can modify local files, collect configuration, or perform network actions before the user understands or consents to those changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly states that installation ensures .env is configured and exports the latest artifact, but it provides no warning that local configuration files may be created or modified. Silent modification of .env is dangerous because it can overwrite secrets, inject attacker-controlled endpoints or tokens, and change later runtime behavior in ways that are hard for users to detect.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal