ClawHub

Megaeth Developer

Security checks across malware telemetry and agentic risk

Overview

This is a MegaETH developer documentation skill with real blockchain transaction examples, but no evidence of hidden execution, persistence, or data theft.

Install only if you intend to build on MegaETH. Before running any command or code that sends, swaps, approves, bridges, or deploys, verify the chain ID, recipient, token, amount, spender, slippage, bridge address, and gas settings; prefer testnet or small-value trials first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports wallet management, token swaps, transaction submission, and bridging, all of which can cause irreversible asset movement, but it provides no user-facing cautions, confirmation guidance, or risk framing. In an agent setting, this omission increases the chance that users are guided into signing, sending, or bridging funds without understanding permanence, destination risk, slippage, or network mismatch consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quick reference includes live transaction and deployment commands (`cast send` and `forge script --broadcast --skip-simulation`) without any warning that they can move funds, deploy irreversible contracts, or target mainnet endpoints. In a developer skill focused on wallet operations and deployment, users may copy-paste these commands directly, increasing the chance of accidental fund loss or unintended mainnet changes.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The latency optimization guidance recommends pre-signing and nonce pipelining without discussing key operational risks such as stale nonces, accidental later broadcast, duplicate submission, and signing transactions that may become unsafe if state or intent changes. In a wallet/transaction development skill, this can lead developers to implement fragile transaction handling that causes unintended fund movement or transaction failures under real conditions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example calls ERC20 approve with maxUint256, creating an unlimited allowance that can let the spender drain all present and future tokens if the spender contract is compromised, upgraded maliciously, or the approved address is wrong. In a wallet operations skill, users are likely to copy this pattern directly, so omitting a warning or safer alternative materially increases risk.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal