ClawHub

NOFX AI500 Report

Security checks across malware telemetry and agentic risk

Overview

The skill matches its crypto-reporting purpose, but it embeds a real-looking default API key and sets up recurring jobs that send market data and credentials through external services.

Review before installing. Only enable this skill if you are comfortable with recurring cron jobs, outbound NOFX/Binance/Telegram traffic, and optional MiniMax TTS. Replace the embedded NOFX key, rotate it if it was real, avoid placing secrets in URLs or cron messages, confirm the Telegram destination, and know how to remove the scheduled jobs and local known-coin state file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill directs the agent to create cron jobs, execute a shell script, and implicitly write scheduling/configuration state, yet it declares no permissions or trust boundaries. This mismatch can cause the platform or user to approve a seemingly low-privilege skill that actually performs privileged local actions, increasing the risk of unintended command execution or persistent automation.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Using curl via subprocess gives the skill extra execution capability beyond simple HTTP fetching, increasing attack surface and making security controls, auditing, and sandboxing harder. In this reporting skill, external process execution is not necessary for the stated purpose, so the design is riskier than needed.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script embeds a hardcoded API authentication key directly in source code, which is a real secret-management flaw. Anyone with file access can reuse the credential, and because the skill automatically sends it in requests, compromise can lead to unauthorized API use, billing abuse, or data exposure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This introduces an external text-to-speech service that receives narration text, expanding the skill's data exposure beyond the stated reporting purpose. If reports contain proprietary trading insights, customer data, or unpublished analysis, sending narration text to a third-party API can leak sensitive information outside the user's expected trust boundary.

Vague Triggers

Medium
Confidence
67% confidence
Finding
The description is broad enough to match generic crypto reporting or alerting requests, which can cause the skill to trigger outside the intended NOFX AI500 workflow. Over-broad invocation increases the chance that the agent collects credentials, schedules jobs, or sends messages when the user only wanted a general market summary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to provide an API auth key, place it into environment variables, and send outputs to Telegram or another external channel, but it does not include warnings about secret handling, log exposure, or data leakage to third-party services. In an automated cron context, environment variables and command arguments may be exposed through process listings, job definitions, logs, or misconfigured notifications, risking credential compromise and unintended dissemination of report contents.

Missing User Warnings

High
Confidence
99% confidence
Finding
The hardcoded credential is automatically transmitted in outbound requests without any disclosure or runtime consent, creating silent credential use and increasing the chance of unnoticed secret leakage. If logs, crash reports, proxy traces, or process monitoring capture full URLs, the auth token may be exposed to operators or third parties.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cron payload template embeds an API base URL, key, and query-string authentication details directly into an automated agent instruction, and it also instructs the agent to send outbound Telegram notifications. This creates a real secret-handling and exfiltration risk because operators may hardcode credentials into a file, logs, job definitions, or prompts, where they can be exposed to other tools, users, or message destinations. In the context of an automated crypto monitoring/reporting skill with external messaging, this is more dangerous because the workflow is specifically designed for unattended execution and outbound communication.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The template explicitly instructs the agent to send the generated market report to Telegram via a message tool, but provides no user-facing disclosure, confirmation step, destination validation, or data-classification boundary. In an automated cron context, this creates a real exfiltration risk because report contents may include proprietary trading signals, API-derived intelligence, or misconfigured secrets/identifiers that are transmitted to an external chat destination without review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs sending narration text to an external API without any notice, consent flow, or warning about third-party data sharing. In a market-intelligence context, narration may include nonpublic strategies, internal analytics, or customer-specific content, so undisclosed transmission materially increases confidentiality risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends the authentication key in the URL query string, which can be exposed through shell history, process listings, proxy logs, server logs, monitoring tools, or error telemetry. In a periodic monitoring skill, this is more dangerous because the secret may be reused automatically and leaked repeatedly over time.

Ssd 3

Medium
Confidence
99% confidence
Finding
Embedding the authentication key in the script and concatenating it into request URLs makes disclosure likely through source sharing, backups, logs, terminal history, or exception/reporting systems. In a report-generation skill that fetches live data, this context increases risk because the credential is exercised routinely and may traverse multiple systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal