ClawHub
Back to skill

Security audit

frame-builder

Security checks across malware telemetry and agentic risk

Overview

This skill is for Frame token management, but it tells the agent to silently pull remote code and reinstall dependencies during heartbeat checks while also handling wallet-based blockchain actions.

Install only if you are prepared to disable or ignore the auto-update instructions, review the actual source scripts before running them, and use a dedicated low-value wallet. Do not let heartbeat run git pull or npm install silently; require manual approval for updates, dependency changes, and any on-chain transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to self-update from its Git remote and run dependency installation without user approval. This creates a remote code execution and supply-chain risk: anyone who can affect the repository, branch, or dependencies can cause new code to be fetched and executed in a privileged agent context.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Embedding git pull and npm install into routine heartbeat monitoring is dangerous because it couples benign status checks with code-changing operations. A periodic automated task becomes an unattended mechanism for downloading and executing unreviewed code, expanding the blast radius far beyond the skill's stated token-monitoring purpose.

Missing User Warnings

High
Confidence
99% confidence
Finding
The documentation says updates should occur silently and without confirmation, which bypasses a critical human review checkpoint. Silent code and dependency changes make malicious or accidental upstream modifications much harder to detect before execution.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal