ClawHub

Kraken

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Kraken account query tool, but it handles sensitive financial account data and should be used with a least-privilege API key.

Before installing, create a Kraken API key limited to the permissions this skill needs, avoid trading or withdrawal permissions, keep the key and secret out of chat/logs/version control, protect any .env file, and use raw account-history or deposit-address commands only when you intentionally want that sensitive data displayed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module is presented as a safe, portfolio-focused wrapper, but it explicitly permits arbitrary passthrough to another API script. That mismatch can mislead users into invoking broader functionality than expected, including potentially sensitive account or trading operations exposed by kraken_api.py.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The file's apparent purpose is portfolio reporting, yet it contains a generic execution path that forwards arbitrary commands to another script. In a skill context, hidden or unnecessary execution capabilities increase risk because they widen the attack surface beyond the user's reasonable expectations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to export Kraken API credentials and optionally place them in a .env file, but provides no warning that these are sensitive secrets that must never be shared, logged, committed, or exposed to the model output. In an agent setting, this omission is risky because users may paste live credentials into chat or store them insecurely, leading to account compromise or unauthorized access to financial data and account actions permitted by the key.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents private account, earn, and funding commands that access sensitive financial information such as balances, orders, trades, ledger history, and deposit addresses without any privacy warning or guidance on safe disclosure. In a conversational agent context, this increases the chance that highly sensitive financial data will be retrieved and echoed into chat transcripts, logs, screenshots, or shared contexts, creating unnecessary exposure of user assets and transaction history.

Missing User Warnings

Medium
Confidence
73% confidence
Finding
The tool executes another script based on user-supplied arguments while presenting itself mainly as a portfolio helper, without a strong user-facing warning that broader command execution occurs. In this context, the issue is unsafe capability exposure and surprise execution semantics rather than shell injection.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal