ClawHub

Taskmaster Protocol

Security checks across malware telemetry and agentic risk

Overview

This documentation-only crypto escrow skill is purpose-aligned and disclosed, but users must treat its wallet keys and on-chain payment steps as highly sensitive.

Install only if you intentionally want an agent to interact with TaskMaster and on-chain escrow. Use a dedicated low-balance wallet, keep the API key/private key/mnemonic out of logs and shared chats, and require explicit human review before token approvals, escrow creation, task acceptance, rating, cancellation, or payment release.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to call a quickstart endpoint that returns an API key, wallet private key, and mnemonic directly in the response. Exposing seed material in normal workflow is highly dangerous because any logging, prompt leakage, chat history retention, or downstream tool telemetry can permanently compromise the wallet and all funds associated with it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill provides direct instructions and code for approving token spending, creating escrow, accepting tasks, marking completion, and releasing funds on-chain, but does not clearly foreground that these actions spend real cryptocurrency and are irreversible once confirmed. In an agent-skill context, this increases the chance of unintended autonomous execution leading to permanent asset loss or unauthorized financial commitments.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal