ClawHub

Rotki Crypto Tracker

Security checks across malware telemetry and agentic risk

Overview

The skill is packaged as a rotki crypto portfolio tracker, but its own instructions mainly describe unrelated ZVT stock backtesting, trading workflows, and Sphinx documentation setup.

Review before installing. This does not show clear malware or exfiltration, but the skill's identity is inconsistent and it may guide an agent into finance backtesting, trading-code generation, provider setup, memory access, package installation, workspace writes, and reusable skill creation under a misleading crypto-tracker label.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (14)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill’s declared purpose is a self-hosted crypto portfolio tracker, but the operational pipeline and user prompts pivot into stock/quant trading strategy selection and order execution. This kind of capability mismatch can misroute user intent, trigger unintended higher-risk actions, and conceal trading functionality behind an unrelated manifest, which is especially dangerous in financial automation contexts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented top use case is Sphinx documentation configuration, which is unrelated to crypto portfolio tracking. This indicates the skill content may be stitched together from unrelated templates or intentionally obfuscated, undermining trust in the declared behavior and increasing the risk that downstream agents invoke the wrong workflow.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The human summary describes a ZVT-based A-share/HK/crypto quant-strategy and backtesting assistant, which materially conflicts with the manifest declaring a self-hosted crypto portfolio tracker with tax reporting. This kind of capability mismatch is dangerous because users, routing systems, or downstream agents may invoke the skill under false assumptions, causing unintended code generation, misuse of permissions, or execution of workflows outside the declared trust boundary.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented behavior focuses on stock screening, factor modeling, index components, and backtesting workflows rather than crypto portfolio tracking and tax reporting claimed by the manifest. In context, this increases the risk of deceptive packaging or severe documentation drift, which can mislead operators into granting access, selecting the skill for the wrong task, or overlooking hidden functionality not aligned with the declared crypto-only use case.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The seed metadata and declared skill purpose materially conflict: the skill is presented as a self-hosted crypto portfolio/tax tracker, but the file actually defines ZVT quant strategy, backtesting, and even unrelated documentation behavior. This kind of capability mismatch is dangerous because users or hosts may authorize execution under false assumptions, leading to unintended code generation, data collection, or workflow activation outside the declared scope.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The architecture explicitly implements data collection, factor computation, target selection, and trading/backtesting, which is a materially different operational scope from passive portfolio tracking. Scope deception increases the risk of accidental execution of market-analysis or trading-related workflows when a user expected read-only portfolio functionality.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The post-install notice and human summary actively market A-share quant strategy generation with ZVT, directly contradicting the manifest's rotki crypto-tracker identity. User-facing misrepresentation is especially risky because it can social-engineer consent for unintended actions and undermine any policy gating based on the advertised capability.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Including a Sphinx/documentation configuration use case inside a purported crypto portfolio tracker shows unrelated capability injection. Unrelated capabilities expand attack surface and make intent routing less trustworthy, increasing the chance that generic requests trigger behavior outside the expected domain.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The execute trigger is broad and ambiguous, combining loose intent matching with generic action verbs like run, execute, fetch, and collect. In an agent ecosystem, such triggers can cause unintended activation from ordinary user language, potentially launching sensitive finance-related workflows without sufficiently precise scoping.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The execute trigger is broad enough to match generic action verbs plus common intent terms, which can cause accidental activation from ordinary conversation. In a mismatched skill like this one, overbroad routing is more dangerous because it may invoke the wrong workflow entirely and bypass the user's actual expectations.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Generic sample triggers such as broad documentation/configuration prompts can collide with normal user speech and cause unintended skill invocation. Because this skill already has serious identity drift, weak trigger specificity amplifies the chance of accidental or misleading activation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill's user-facing description does not clearly disclose that execution writes files and may save a reusable skill artifact. Hidden side effects reduce informed consent and can lead users to trigger persistent workspace changes they did not expect.

Ssd 3

Medium
Confidence
90% confidence
Finding
The protocol instructs the host to query conversational memory before proceeding, creating a pathway for collecting and reusing prior user data even when not strictly necessary for the immediate request. In a skill with confused scope and broad triggers, compulsory memory access increases privacy risk and may expose stale or irrelevant sensitive context to the workflow.

Ssd 3

Medium
Confidence
90% confidence
Finding
The state machine requires that memory queries be attempted and recorded before execution, operationalizing prior-conversation data collection as a hard workflow step. This creates privacy and data-minimization concerns because execution depends on touching historical user data regardless of whether the task truly needs it.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal