ClawHub

Crypto Market Analyzer

Security checks across malware telemetry and agentic risk

Overview

This paid crypto-analysis skill mostly does what it says, but its billing authority is under-scoped because it includes a hardcoded fallback payment key and mismatched default skill ID.

Review this skill before installing. The crypto price and indicator behavior is coherent, but only use it if you trust the publisher’s SkillPay setup, are comfortable with per-call billing, and can verify the embedded API key and default skill ID are removed or replaced with properly scoped environment configuration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill declares required environment variables and clearly depends on external data sources and billing flows, but it does not declare explicit permissions for sensitive capabilities like network access and environment-variable use. This weakens platform transparency and review controls, making it easier for users or orchestrators to invoke a skill without understanding that it can reach external services and access secrets.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented primarily as a crypto market analysis tool, but it also performs billing operations, balance checks, and payment-link generation through a third-party service. That hidden or underemphasized monetization behavior expands the trust boundary and can expose users to undisclosed charges, data sharing, or misuse of billing credentials, especially given the note that a hardcoded default API key may be used.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This skill is described as a crypto market analyzer, but the file implements billing and charging logic unrelated to market analysis. Hidden payment functionality in an unrelated skill materially increases risk because users and integrators may invoke the skill without expecting financial side effects or external billing interactions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code accesses billing credentials and exposes functions to charge users, check balances, and create payment links, none of which are necessary for technical-indicator calculations. In this skill context, that mismatch makes the behavior significantly more dangerous because it enables monetization or user tracking outside the stated purpose of the tool.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring says the function charges 1 token, but the actual request sends amount 0. This inconsistency is dangerous because it obscures the real billing semantics, hinders auditing, and may conceal logic intended to trigger billing-side defaults or undocumented charge behavior.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script’s declared purpose is price retrieval and indicator calculation, but it also performs billing enforcement and can charge a supplied user ID before producing results. This hidden side effect expands the trust boundary and creates risk of unauthorized or unexpected charges, especially when the script may be invoked programmatically as a data utility.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Embedding billing capability in a technical-analysis utility is context-inappropriate and increases the chance that callers treat the script as read-only when it actually triggers financial actions. In agent settings, this mismatch is especially risky because automation may pass user identifiers without understanding that a charge can occur.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is presented as a crypto market data fetcher, but it conditionally imports and invokes billing/payment enforcement before performing its advertised function. This is dangerous because it introduces a privileged side effect unrelated to market-data retrieval, expanding the trust boundary and creating a risk of unexpected charges or coercive payment flows in an otherwise read-only skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Embedding billing capability in a market-analysis utility is an unjustified privilege increase for the stated purpose of the skill. Even if not overtly malicious, this creates unnecessary access to user/account state and can be abused or misconfigured to block access, trigger charges, or mislead users about what the script actually does.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security manifest claims the script only performs public GET requests and has no other meaningful side effects, but the code also executes billing logic. This mismatch is dangerous because reviewers and users may rely on the manifest to assess risk, causing them to underestimate the script's actual capabilities and approve behavior they would otherwise reject.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The charge request sends a user identifier to an external billing service without any evidence of notice, consent, or confirmation in the code path. In a market-analysis skill, undisclosed transfer of user identifiers tied to payment actions raises both privacy and trust concerns and could enable silent billing-related profiling.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The balance lookup also transmits a user identifier externally without any visible user-facing disclosure. Although less severe than an active charge, it still leaks account-linked data to a third party outside the stated market-analysis purpose.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Creating a payment link sends both user identifier and requested amount to an external billing endpoint without visible user disclosure. In context, this introduces unexpected financial workflow behavior into a non-billing skill and can surprise users or integrators with off-platform payment processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code charges the specified user immediately when --user is provided, without any user-facing warning, confirmation, or proof that the caller is authorized to bill that account. This can lead to accidental or abusive charges in automated workflows where parameters are constructed by another system or agent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal