ClawHub

OpenCog

Security checks across malware telemetry and agentic risk

Overview

This is a real prediction-market trading skill, but it needs review because it stores a fund-controlling wallet key in plaintext and ships broader contract-control surfaces than its trading instructions disclose.

Install only if you are comfortable reviewing wallet-handling code. Use a throwaway wallet, prefer Sepolia/testnet, do not store valuable mainnet keys in ~/.openclaw/.env, set that file to owner-only permissions, verify which GitHub repository you are installing from, and confirm the exact network, contract, market, shares, and final max/min trade bounds before any transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The ABI exposes createMarket/createCustomMarket and related funding-capable operations even though the skill description says market creation is only 'coming soon' and otherwise frames the skill as a trading tool. That mismatch is dangerous because an agent or user may be induced to invoke higher-risk state-changing functions that create or seed markets, expanding authority and financial exposure beyond the expected scope.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The ABI includes broad administrative and protocol-management methods such as role grants/revocations, allowlist changes, fee/config updates, withdrawals, and ownership-transfer style operations that are not reflected in the manifest's trading-oriented description. In an agent skill context, hidden admin surfaces are especially dangerous because they can enable privilege changes, asset withdrawal, or protocol reconfiguration if the skill or connected signer is misused.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The ABI exposes ownedTokenMint, ownedTokenBurn, ownedTokenMove, and ownedTokenTransferOwnership, which are fundamentally asset-control primitives unrelated to ordinary prediction-market trading. If callable through the skill, these functions could let an attacker or misled agent mint arbitrary tokens, destroy balances, move user assets, or transfer token ownership, creating severe fund-integrity and trust risks.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The module automatically reads arbitrary key/value pairs from ~/.openclaw/.env into process.env, including sensitive values such as PRIVATE_KEY, without scoping or explicit user consent at the point of use. In a skill/plugin context, this expands the trust boundary to the user's home directory and can expose signing capability to any code path that imports this client and invokes wallet operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When generating a wallet, the script appends the raw private key directly to ~/.openclaw/.env without prompting, encryption, or setting restrictive file permissions. A local attacker, backup system, sync service, or other process with access to that file can recover the key and steal all funds controlled by the wallet.

Credential Access

High
Category
Privilege Escalation
Content
import { join, dirname } from "path";
import { fileURLToPath } from "url";

// ── Load ~/.openclaw/.env ─────────────────────────────────────────────────────

const ENV_FILE = join(homedir(), ".openclaw", ".env");
if (existsSync(ENV_FILE)) {
Confidence
88% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
// ── Load ~/.openclaw/.env ─────────────────────────────────────────────────────

const ENV_FILE = join(homedir(), ".openclaw", ".env");
if (existsSync(ENV_FILE)) {
  for (const line of readFileSync(ENV_FILE, "utf8").split("\n")) {
    const m = line.match(/^([A-Z_][A-Z0-9_]*)=(.+)$/);
Confidence
90% confidence
Finding
.env"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal