ClawHub

Ox Agent Identity

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Web3 identity skill, but users should be careful with wallet private keys and live blockchain writes.

Install only if you are comfortable with Ethereum-style tooling. Use a dedicated low-value wallet, avoid pasting production private keys into shared shells or logs, verify the registry contract and chain before any cast send, test on a testnet first, and review remote installer commands before executing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to export a raw private key for write transactions but provides no warning about secret handling, shell history exposure, environment leakage, or the risk of signing real on-chain actions. In a blockchain skill, this is materially dangerous because users may copy production keys into an insecure environment and then use them for irreversible transactions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The quick-start includes a state-changing `cast send` example without warning that it will submit a real transaction, consume gas, and may be irreversible once confirmed. Given this skill is specifically for on-chain identity registration and reputation operations, users are more likely to run the command directly against mainnet or another live network, increasing practical risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill provides `cast send` examples that perform live write transactions using private keys, but it does not give a prominent warning that these actions are irreversible, may spend real funds, and can affect on-chain identity or reputation state. In a DeFi/governance context, users may copy-paste commands into mainnet environments and unintentionally cause permanent state changes or financial loss.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The configuration section instructs users to place raw private keys in environment variables without a clear warning about credential sensitivity, shell history leakage, process inspection, CI/CD exposure, or accidental logging. Because this skill targets on-chain identity and governance operations, compromise of these keys could allow unauthorized registrations, reputation updates, attestations, or theft from the associated wallet.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal