ClawHub

ClankerKit

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed crypto wallet automation tool, but it gives an agent broad real-money transaction authority with weak scoping and some misleading safety assurances.

Install only with a dedicated low-balance wallet and never a primary wallet key. Keep it on testnet until verified, set tight policies and allowlists, disable or avoid arbitrary transaction execution and arbitrary service payments where possible, and require human review for transfers, swaps, staking, deployments, gas top-ups, policy changes, and any auto-executed trading.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (29)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description undersells the breadth and severity of its capabilities. In addition to Monad wallet operations, it exposes arbitrary contract execution, direct token transfers, cross-chain swaps, external payments, market trading, and contract deployment, which materially increases the attack surface and the chance a user or orchestrator invokes dangerous actions without informed consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest frames the skill as Monad wallet operations, but it also exposes cross-chain swap tools for multiple external networks. This capability mismatch can mislead users and upstream agents about the true transaction surface, increasing the chance of unintended asset movement on other chains without appropriate review or controls.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The pay_for_service tool enables spending wallet funds on arbitrary x402-enabled API endpoints, which goes beyond the stated wallet-management purpose and introduces an external payment sink. Without strong endpoint restrictions and disclosure, an agent could be induced to pay attacker-controlled services or incur repeated charges.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill exposes a generic execute_transaction tool that allows arbitrary target, value, and calldata to be submitted on-chain. In a wallet-management skill, this effectively bypasses higher-level guardrails and can be used to transfer assets, approve malicious spenders, interact with arbitrary contracts, or alter wallet state far beyond the stated natural-language wallet operations.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The skill includes pay_for_service and register_agent capabilities that are not reflected in the manifest description. This widens the effective authority of the agent beyond what an operator may expect, creating a security-relevant mismatch between declared and actual behavior.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest scopes operations to Monad, but the code exposes kyber_swap and zerox_swap for cross-chain routing. This expands the trust boundary to external chains and aggregators, increasing the chance of unintended asset movement, routing risk, and policy bypass by users or agents relying on the narrower manifest description.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to export a long-lived blockchain private key as an environment variable, but provides no warning about the sensitivity of that credential or safer handling practices. In this skill's context, that key controls autonomous wallet operations such as swapping, staking, and trading, so compromise of the host, shell history, process environment, logs, or misconfigured tooling could lead directly to unauthorized transactions and irreversible loss of funds.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises swapping, staking, trading, transfers, and deployment but does not prominently warn that these actions can move real funds and are often irreversible on-chain. In an autonomous agent setting, omission of such warnings increases the risk of accidental loss, misuse, or unsafe delegation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to provide AGENT_PRIVATE_KEY but does not include strong handling guidance for this secret. Private key exposure would enable full compromise of the agent EOA and potentially any wallet operations, swaps, or approvals the key can authorize.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises autonomous swapping, staking, deployment, trading, and policy management without stating when those actions may be invoked, what approvals are required, or what safeguards apply. For a financial skill with irreversible on-chain effects, missing trigger constraints materially increases the risk of unsafe autonomous execution from ambiguous prompts or indirect prompt injection.

Missing User Warnings

High
Confidence
95% confidence
Finding
This skill exposes many irreversible wallet and trading actions such as token transfers, arbitrary contract calls, swaps, staking changes, policy updates, and wallet deployment, yet the manifest provides no user-facing warnings about financial loss, slippage, wrong-address risk, or permanence. In this context, omission of warnings is dangerous because downstream users or orchestrators may treat the skill as routine infrastructure rather than a high-risk asset-moving capability.

Missing User Warnings

High
Confidence
93% confidence
Finding
send_tokens performs an irreversible asset transfer directly from tool input with no confirmation, destination validation, or policy check visible in this layer. In an autonomous agent context, prompt injection or user error could immediately cause loss of funds.

Missing User Warnings

High
Confidence
94% confidence
Finding
send_token enables arbitrary token transfers with user-supplied token, recipient, and amount, again without visible confirmation or validation at this layer. This is particularly dangerous because malicious token addresses or incorrect decimals assumptions can lead to irreversible loss or transfer of unintended assets.

Missing User Warnings

High
Confidence
99% confidence
Finding
Arbitrary transaction execution without warning is highly dangerous because it permits any contract interaction and native value transfer. An agent or attacker controlling tool inputs could approve token drains, upgrade control settings, or call malicious contracts while appearing to use a legitimate wallet skill.

Missing User Warnings

High
Confidence
90% confidence
Finding
swap_tokens moves assets through a trade path without any visible user warning or final confirmation in this wrapper. Even with quote retrieval, the function executes immediately and can be abused to convert assets into low-liquidity or attacker-controlled tokens, causing value loss.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
Staking changes asset state and may lock funds for a period, but the tool executes directly without communicating those constraints before action. In an agent setting, users may not realize the funds become less liquid and subject to validator-specific behavior.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Unstaking is an on-chain state-changing action with timing implications and can affect reward accrual, yet it is performed immediately from parameters. Lack of warning can lead to accidental changes in staking position or mistaken assumptions about immediate liquidity.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
withdraw_stake performs a final on-chain claim action and can fail or claim the wrong pending withdrawal if identifiers are mistaken. Executing without a warning or preview increases the chance of operator error in an irreversible transaction flow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
create_policy modifies wallet control rules, including spend limits and allowed assets/contracts, without visible disclosure or confirmation. Weak or attacker-influenced policy settings could silently broaden wallet permissions and reduce safeguards for subsequent operations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Updating the daily spending limit directly changes a core safety control for the wallet. If invoked by an untrusted prompt or mistaken instruction, it can increase allowable loss before detection and undermine intended policy protections.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
pay_for_service sends funds and transmits an endpoint parameter to an external service without visible disclosure of payment, recipient, or network interaction. This can be abused for unintended spending or leaking operational metadata to arbitrary endpoints.

Missing User Warnings

High
Confidence
93% confidence
Finding
kyber_swap executes a cross-chain asset movement through an external aggregator with no visible user warning in this layer. Cross-chain swaps introduce extra trust, bridge/routing risk, recipient risk, and settlement complexity beyond a normal same-chain swap.

Missing User Warnings

High
Confidence
92% confidence
Finding
zeroExSwap similarly sends user-selected assets through an external aggregator without disclosure or confirmation. In an autonomous wallet tool, this increases the risk of unintended external approvals, poor execution, or transfers outside the expected Monad-only operating scope.

Missing User Warnings

High
Confidence
95% confidence
Finding
smart_trade supports automated trading and can execute based on a strategy when autoExecute is true, without visible safeguards in this wrapper. This enables delegated market decisions on volatile memecoins, which can rapidly cause losses or repeated unwanted trades if prompted maliciously or configured poorly.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
ensure_gas can move funds from the wallet to top up an EOA, but the transfer occurs without an explicit warning or confirmation. Because it changes fund balances between accounts, it can be abused to siphon value under the guise of routine maintenance.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal