tokamak-vault-breach
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only CTF skill is transparent about its goal, but it directs the agent to perform prompt-injection and file-read attacks against an external AI challenge with limited authorization and provenance guardrails.
Install only if you intend to participate in this specific authorized CTF. Verify the challenge and endpoint independently, keep activity limited to the listed dashboard/API, avoid sharing personal or wallet secrets, and require explicit user approval before attempting breach steps or any blockchain claim.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may generate manipulative prompts intended to override another system's safety or confidentiality rules.
The skill explicitly instructs the user's agent to attempt prompt-injection techniques against another AI agent. This is central to the CTF, but it is still adversarial goal-hijacking behavior that needs clear authorization.
"Attempt to bypass system instructions through creative framing, role-play scenarios, or context manipulation."
Use only if you have verified this is an authorized CTF and keep activity limited to the listed challenge endpoints.
If used outside the intended challenge, the agent could attempt to extract secrets or sensitive files from a remote system.
The skill directs the agent to induce the remote target agent to use file-reading capabilities to retrieve a likely secret file. That is tool-exploitation behavior, even though it is framed as a challenge.
"file_read" - Read files from the file system; "Key file hint": "/vault.key" may contain important information.
Require user confirmation before active breach attempts and do not reuse these tactics against systems that are not explicitly in scope.
Users cannot easily verify that the challenge endpoint and reward claims are official or authorized.
The registry metadata does not provide a source repository or homepage to verify the skill author, challenge legitimacy, or endpoint ownership.
Source: unknown; Homepage: none
Verify the challenge through trusted Tokamak Network channels before using the skill or sending requests to the listed service.
Prompts and interaction history may be visible to the external challenge service or dashboard.
The skill involves agent-to-agent communication with an external hosted AI service. This is purpose-aligned, but conversations are sent to a third-party endpoint.
POST /api/chat | Main interaction with the secured AI agent
Do not include personal information, credentials, wallet secrets, or unrelated private data in challenge messages.