ClawHub

Zapper Api

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Zapper API helper that matches its stated purpose, with normal privacy considerations around wallet addresses and API keys.

Install only if you are comfortable sending queried wallet addresses and lookup activity to Zapper. Use a dedicated Zapper API key, keep ~/.config/zapper/addresses.json private, and avoid querying all configured wallets when you only intend to check one address.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill explicitly depends on an environment variable for `ZAPPER_API_KEY` and describes making live GraphQL queries to Zapper, which implies outbound network access and use of sensitive configuration. If the platform relies on declared permissions for user awareness, policy enforcement, or sandboxing, omitting these permissions creates a transparency and control gap that can let the skill access network/env capabilities without clear review.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This skill is designed to send wallet addresses, portfolio contents, NFT holdings, and transaction history to Zapper's external API, but the description does not warn users that this data leaves the local environment. Wallet addresses and associated financial activity can be privacy-sensitive, so lack of disclosure may cause users to unknowingly expose on-chain identities and holdings to a third party.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code sends wallet addresses and transaction-related queries to Zapper's external GraphQL API without any explicit consent prompt or privacy notice at the point of use. Wallet addresses and associated portfolio/transaction activity are sensitive financial metadata, and in an agent setting users may not realize their on-chain identifiers are being disclosed to a third party.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal