ClawHub
Back to skill

Security audit

QinYu

Security checks across malware telemetry and agentic risk

Overview

QinYu is a disclosed cryptocurrency analysis tool that fetches public market data and prints trading-oriented reports, with no evidence of credential access, trade execution, persistence, or hidden behavior.

Install only if you want a local Python crypto-market analysis tool that contacts public market-data APIs. Treat its buy/sell, futures, and leverage suggestions as informational only, not financial advice, and avoid connecting it to automated trading without separate review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and relies on multiple external market-data APIs, which implies network access, but the manifest does not declare corresponding permissions. Hidden or undeclared network capability weakens transparency and reviewability, making it harder for a platform or user to understand what external communication the skill performs and what data may be sent out.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The description is very broad and can trigger on a wide range of generic crypto questions, increasing the chance the skill is invoked outside a narrowly intended scope. Over-broad routing is risky because a high-authority skill offering trading strategies may override safer default behavior or be selected for requests where the user did not explicitly ask for this integrated tool.

Natural-Language Policy Violations

Medium
Confidence
71% confidence
Finding
The documentation is predominantly in Chinese and does not indicate any user language negotiation or fallback behavior. This can create a safety and usability issue because users may receive trading-related guidance they cannot fully understand, increasing the risk of misinterpretation of financial analysis or risk disclaimers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal