ClawHub

Gotchi Channeling

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to automate legitimate Aavegotchi channeling, but it can submit real wallet transactions and ships with live-looking default targets plus overstated safety documentation.

Review and replace config.json before running anything, use a dedicated Bankr key if possible, verify parcel and gotchi ownership yourself, and do not enable cron until you are comfortable with recurring real blockchain transactions and possible gas/reward/cooldown effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation presents parcel-ownership verification as a built-in safety check even though the same file explains that access rights can legitimately authorize channeling on parcels the user does not own. This inconsistency can mislead users into believing the skill enforces a stricter policy than it actually does, increasing the chance they channel on a third-party parcel and lose rewards while still consuming their gotchi's cooldown.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The summary claims the skill protects users from channeling on parcels they do not own, but the document elsewhere states that granted access rights permit exactly that behavior. Because rewards flow to the parcel owner rather than the gotchi owner, this misleading assurance can cause users to trust the tool's protections and unknowingly perform economically harmful transactions on authorized-but-non-owned parcels.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Documenting fallback API-key resolution through `systemctl --user show-environment` expands the skill's access to user-session environment data unrelated to channeling. This can expose unrelated secrets present in the user manager environment and normalizes broader system inspection than is necessary for the stated purpose, increasing the risk of credential disclosure if the scripts implement this behavior.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation explicitly says the skill cannot autonomously perform channeling and should be redesigned as a reminder/tracker, which directly contradicts the advertised capability to build and submit channel transactions safely. This is dangerous because users or downstream agents may rely on a non-existent or blocked security/control path and attempt unsafe workarounds or mis-handle funds/transactions based on false assumptions about what the skill can do.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The reference clearly documents a hard blocker: a backend-generated signature is required for channelAlchemica, meaning the skill cannot safely or independently submit the transaction as claimed. This mismatch can mislead operators into trusting automation that will fail, or worse, encourage insecure bypass attempts around authentication and anti-bot controls.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill automatically searches multiple unrelated local and system sources for a Bankr API key, including user systemd environment and other skill config directories, rather than requiring an explicit credential input. This broad credential discovery expands the trust boundary and can cause the skill to silently consume sensitive secrets the user did not intend to expose to this skill, creating cross-skill credential leakage risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The deployment guide explicitly instructs users to install a cron job that will autonomously invoke a script which submits on-chain transactions, but it does not include a clear warning that this changes wallet state and may spend funds or repeatedly trigger blockchain actions. In the context of a wallet-integrated skill, omission of consent and risk language increases the chance of unintended recurring transactions and operational misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The release notes provide cron automation instructions that can trigger live on-chain channeling transactions, but they do not clearly warn users that scheduled execution may move assets, consume gas, and repeatedly submit real blockchain transactions. In a wallet-connected automation skill for Base mainnet, omission of this warning increases the risk of unintended financial activity, especially for users treating the instructions like harmless monitoring tasks.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
Suggesting reverse engineering of a backend signature endpoint without explicit authorization promotes bypassing access controls protecting transaction signing. In this context, the skill is for blockchain transaction automation, so normalizing that approach increases the risk of abusive automation, terms-of-service violations, or building a workflow around an unofficial and unstable security boundary.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The credential-loading logic accesses sensitive API key material without any user-facing notice, consent prompt, or disclosure that the skill will inspect external locations for secrets. In an agent-skill context, this is especially risky because users may assume the skill only uses its own configuration, while it actually probes shared local state for reusable credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal