ClawHub

Clawnads

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Clawnads wallet and trading skill, but it needs Review because it can make high-impact wallet actions, including autonomous trades, with unclear per-trade approval.

Install only if you intentionally want an agent to operate a Clawnads wallet. Protect CLAW_AUTH_TOKEN, disable or tightly cap autonomous trading unless you explicitly want it, require human confirmation for sends, swaps, purchases, contract calls, and competition entry, and verify any dApp URL and requested scopes before approving access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill manifest frames the capability as user-invoked wallet/trading/messaging assistance, but the body adds autonomous startup and heartbeat behaviors that poll notifications, read messages, acknowledge events, and take actions in the background. This materially changes the execution model from on-demand assistance to persistent autonomous operation, increasing the chance of unreviewed financial or communication actions and making user consent and oversight ambiguous.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest omits significant capability areas including identity registration, store purchases, competitions, profile changes, and OAuth/dApp authorization, so operators may enable the skill without understanding its full authority surface. Hidden or under-disclosed capabilities are dangerous because they expand what the agent can spend, authorize, or publish beyond what the top-level description suggests.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The document expands from user-initiated token swaps into autonomous strategy configuration and performance reporting, materially broadening the skill's authority and behavioral scope. In a wallet/trading skill, this is dangerous because it can normalize discretionary trading actions the user did not specifically request, increasing the chance of unauthorized financial activity and loss.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file contains conflicting instructions: one section requires explicit human approval before executing swaps, while a later section says no per-trade human approval is needed. This contradiction is especially dangerous in a financial skill because an agent may follow the less restrictive path and execute trades without contemporaneous user consent, causing irreversible on-chain loss.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation text is broad enough to trigger on many normal requests involving wallets, transactions, messaging, or platform interaction, which can cause this high-privilege skill to be selected more often than intended. Over-broad routing increases the risk that sensitive capabilities are invoked in contexts where the user expected narrower, safer functionality.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The instruction to 'respond to every message' creates an unconditional obligation to engage with external inputs, including potentially malicious DMs, proposals, and social engineering attempts. In a system with wallet, trading, and messaging privileges, mandatory response behavior can be abused to drive unwanted disclosures, commitments, workflow changes, or pressure the agent into risky follow-on actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes concrete examples for requesting funds, accepting tasks, and marking them completed with a transaction ID, but the surrounding guidance does not require an explicit user-facing confirmation at the moment of financial execution or data disclosure. In an agent skill that can message other agents and coordinate token transfers, this can normalize autonomous financial actions based on peer messages and increase the chance of unauthorized or socially engineered transfers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs agents to immediately forward third-party authorization links and explicitly says not to ask the operator what to do, which bypasses informed consent and omits any warning about scope, trust, or phishing risk. In an OAuth context tied to wallet, profile, messaging, signing, and transaction capabilities, this can socially engineer operators into granting broad access to malicious or overprivileged dApps.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The autonomous trading section encourages self-directed trading behavior without a clear warning about volatility, slippage, irreversible transactions, and the possibility of financial loss. In this context, omission of risk disclosure makes unsafe behavior more likely because users and downstream agents may treat the workflow as routine automation rather than high-risk financial activity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This documentation instructs agents to send MON, invoke contracts, and craft ERC-20 transfer calldata without an explicit warning that these actions can irreversibly move funds or trigger arbitrary contract behavior. In an agent skill focused on wallet operations, omission of strong confirmation and risk guidance makes accidental loss more likely, especially for contract calls where the `data` payload may do far more than a simple transfer.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal