ClawHub

Crypto Portfolio Tracker API

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward crypto price and portfolio valuation client that contacts PRISM API, with no evidence of hidden execution, destructive behavior, persistence, or unrelated data collection.

Install only if you are comfortable sharing queried crypto symbols with PRISM API and verify the npm package/repository identity because the artifacts use inconsistent names. Do not provide private keys, seed phrases, wallet credentials, or unrelated financial files; the shown code does not need them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README encourages users to submit wallet holdings, symbols, and portfolio data for tracking and valuation, but it does not clearly disclose that these queries may be transmitted to an external provider. In a crypto context, holdings and wallet-related metadata are sensitive financial information that can expose investment positions, wealth, and behavioral patterns if shared without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI and portfolio-tracking examples imply users can submit holdings data, including potentially sensitive financial positions, but the documentation does not warn that this information may be transmitted to an external provider. Because the skill is explicitly for crypto portfolio analysis, the omitted disclosure is more dangerous: portfolio composition can reveal wealth, trading behavior, and targeted-attack value to third parties.

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal