ClawHub

Agent Credit

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about Aave credit delegation, but it gives an agent real on-chain borrowing and repayment authority while some safety controls and private-key handling are weaker than the documentation implies.

Install only if you are comfortable giving an agent an on-chain credit line. Use a dedicated low-balance agent wallet, prefer environment variables or a secret manager over plaintext config for the private key, set very small per-asset delegation limits, test on testnet first, manually review borrow and repay actions, monitor Aave health factor externally, and revoke delegation when idle.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script defaults to reading secrets and operational parameters from $HOME/.openclaw/skills/aave-delegation even though the skill is named agent-credit. This can cause the repay action to use the wrong RPC endpoint, private key, delegator, pool, or asset mappings, leading to repayment or approvals being executed against unintended accounts or contracts. In a blockchain repayment skill, misbinding configuration is especially dangerous because the resulting transactions are irreversible and may expose funds or credentials across skill boundaries.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This read-only status script unnecessarily loads the agent private key from config or environment and derives the agent address from it, even though no signing or state-changing action is performed. Exposing sensitive key material to a non-transactional utility increases the attack surface: the key can be leaked via logs, process inspection, debugging, inherited environment, or accidental reuse in downstream tooling.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Granting a status-only script access to the agent private key violates least privilege and is especially risky in this skill because the key controls an on-chain borrowing agent. If the secret is exposed, an attacker could impersonate the agent and perform unauthorized borrowing/repayment flows or otherwise abuse delegated credit, potentially causing financial loss or liquidation pressure for the delegator.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to place an agent private key directly into a persistent plaintext config file under the agent workspace. In an agent environment, local files may be exposed to other tools, logs, backups, or accidental commits, making secret theft and unauthorized on-chain transactions a realistic outcome.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script can immediately submit approve and repay transactions using a loaded private key, with no interactive confirmation, dry-run, or explicit safety gate before signing. If invoked with wrong parameters, wrong config, or in an automated context, it can irreversibly grant token allowance and transfer funds to repay someone else's debt; this is more dangerous here because the skill is specifically designed to move value on-chain on behalf of another party.

Session Persistence

Medium
Category
Rogue Agent
Content
3. **Configure the skill**:
   ```bash
   mkdir -p ~/.openclaw/skills/aave-delegation
   cat > ~/.openclaw/skills/aave-delegation/config.json << 'EOF'
   {
     "chain": "base",
Confidence
88% confidence
Finding
mkdir -p ~/.openclaw/skills/aave-delegation cat > ~/.openclaw

External Script Fetching

High
Category
Supply Chain
Content
1. **Foundry** must be installed (`cast` CLI):
   ```bash
   curl -L https://foundry.paradigm.xyz | bash && foundryup
   ```

2. **Delegator setup** (done ONCE by the user, NOT the agent):
Confidence
97% confidence
Finding
curl -L https://foundry.paradigm.xyz | bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal