ClawHub
Back to skill

Security audit

Uniprofit Trade Search

Security checks across malware telemetry and agentic risk

Overview

This is a bounded UniProfit trade-search connector that sends a user-provided scoped API key and search filters to the configured UniProfit API.

Install only if you intend to use UniProfit trade-search data. Confirm UNIPROFIT_API_BASE_URL points to the legitimate UniProfit service, use a scoped trade_search key, avoid putting confidential business strategy or unnecessary personal data in search filters, and rotate the key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares runtime requirements for environment variables and instructs the agent to make authenticated external API calls, but it does not declare explicit permissions or trust boundaries for network and secret use. That can lead to unintended secret exposure or outbound data transmission without clear platform-level controls or user awareness, especially in agent runtimes that rely on declared permissions for enforcement.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to send user queries and an authentication header to an external UniProfit API, but it provides no user-facing disclosure or consent language about transmitting potentially sensitive search terms and credentials off-platform. In practice, this can cause privacy, compliance, or trust issues if users assume searches remain local or are unaware that their inputs are being shared with a third party.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal