ClawHub

Web3 & Blockchain Engineering

Security checks across malware telemetry and agentic risk

Overview

This is an educational Web3 engineering guide, not a tool that runs commands or accesses wallets.

Safe to install as a reference skill. Treat its blockchain, smart contract, DeFi, deployment, financial, and compliance output as advisory and review it carefully before using it with real funds, production contracts, or legal decisions; use explicit Web3 wording when invoking it to avoid accidental activation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase `evaluate blockchain fit` is broad natural language that could plausibly appear in ordinary conversation and unintentionally activate the skill. In an agent environment, ambiguous activation can route user input into this skill when the user did not intend to invoke it, causing context confusion and potentially unsafe tool or workflow selection.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger `design smart contract` is ambiguous and likely to overlap with many normal developer requests, making accidental activation likely. Because this skill can produce architecture and security guidance, unintended invocation may override a more appropriate specialist skill or cause the agent to follow the wrong procedural framework.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The phrase `design tokenomics` is common phrasing in crypto discussions and lacks narrowing context, so it may match benign discussion rather than intentional skill invocation. In multi-skill systems, this raises the risk of prompt collision and unintended execution of this skill's instructions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger `optimize gas` is especially broad because 'gas' can appear in unrelated contexts, and even within software it is short and generic. This increases the chance of false activations that steer the agent into blockchain-specific optimization guidance when the user intended something else.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger `evaluate L2` is generic and under-scoped; 'L2' can refer to many concepts outside blockchain, including networking or cache levels. In an agentic environment this can cause misrouting and unintended skill activation, reducing reliability and potentially causing downstream unsafe decisions based on irrelevant assumptions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal