ClawHub

valuescan-skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ValueScan crypto market-data skill that uses disclosed API credentials to query ValueScan, with no evidence of hidden execution, persistence, destructive behavior, or secret exfiltration.

Install only if you are comfortable providing ValueScan API credentials and having relevant market queries, token identifiers, and wallet addresses you ask it to analyze sent to ValueScan. Be aware that some authenticated calls consume credits, so ambiguous market questions should be clarified before invoking the API.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires authenticated use of a third-party service and supports submission of wallet addresses and market queries, but it does not warn users that this information will be transmitted off-platform. In a crypto-analysis context, wallet addresses, token interests, and trading-related prompts can be sensitive and may reveal holdings, strategies, or identity-linked behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The notes define very broad natural-language triggers such as '异动', '资金看涨', '上涨机会', and '看涨代币' to invoke this endpoint. These phrases can easily appear in ordinary user discussion about markets, causing the skill to activate when the user may only be asking for analysis or commentary; in a financial context, that misrouting can bias outputs toward a specific bullish/funds-anomaly dataset and degrade user intent handling.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The notes instruct the system to use this interface for specific Chinese phrases without offering language flexibility, which can hard-wire routing behavior around one language. While not a direct code-execution or data-exfiltration issue, it can cause inconsistent behavior, exclude non-Chinese users, and create prompt-routing errors when multilingual or translated inputs are used.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The note says generic natural-language requests such as '主力分析' or '主力情况' should route to this endpoint, even when the user has not specified a concrete data type or trading context. That broad trigger guidance can cause the agent to invoke the skill on ambiguous prompts, leading to overcollection of data, incorrect tool selection, and potentially misleading financial-analysis output in a trading context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal