ClawHub

KYC.RIP Swap API

Security checks across malware telemetry and agentic risk

Overview

This instruction-only crypto swap skill is purpose-aligned, but it should be reviewed because it guides real fund transfers without enough confirmation and privacy disclosure.

Install only if you intentionally want agent help with cryptocurrency swaps through kyc.rip. Before creating a trade or sending funds, independently verify the provider, asset, network, amount, rate, destination address, refund address, memo/tag, minimums, and deposit address; assume transfers can be irreversible and that wallet and transaction metadata may be shared with third-party providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent/user to create crypto swaps, obtain a deposit address, and send funds, but it does not include any clear warning that blockchain transfers and many exchange operations are irreversible and may result in permanent loss if the route, amount, memo, or address is wrong. In an agent context, this is especially dangerous because the workflow reads as an operational playbook that could normalize autonomous fund movement without adequate user confirmation or risk disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that all endpoints are public and then guides users to submit wallet addresses, trade identifiers, and transaction details to a third-party API without any privacy or data-sharing disclosure. Because the service is explicitly privacy-themed and no-KYC, omission of data handling warnings is misleading and could cause users to expose sensitive financial metadata they did not expect to share.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal