ClawHub

Swaps Intel

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Swaps Intelligence API integration for checking crypto address and transaction risk, with privacy-sensitive external queries that users should understand before use.

Install only if you are comfortable giving the agent a Swaps Intel API key and sending queried wallet addresses or transaction hashes to Swaps Intelligence. Treat results as heuristic risk signals that may be wrong, and independently verify before taking legal, compliance, financial, or public accusation actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The plan explicitly collects hashed device/user-linked identifiers such as anon_fingerprint and address_hash for abuse control, but the document contains no corresponding notice, consent mechanism, retention limits, or privacy disclosure. Hashing reduces direct exposure but does not eliminate privacy risk, because stable hashed identifiers still enable tracking, correlation across events, and possible re-identification when combined with source, API key, timestamps, and behavior patterns.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API is explicitly designed to send user-supplied cryptocurrency addresses and related risk/intelligence queries to a third-party service, but the specification does not disclose any privacy, retention, or sharing implications to the user. In an agent setting, wallet addresses and transaction context can be sensitive, so silent transmission to an external provider creates a real privacy and compliance risk even if the transport itself is authenticated.

External Transmission

Medium
Category
Data Exfiltration
Content
**Check an address:**
```bash
curl -X POST https://system.swaps.app/functions/v1/agent-api \
  -H "Content-Type: application/json" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{
Confidence
93% confidence
Finding
curl -X POST https://system.swaps.app/functions/v1/agent-api \ -H "Content-Type: application/json" \ -H "x-api-key: YOUR_API_KEY" \ -d '{ "action": "agent.check", "payload": { "address":

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal