ClawHub

KarmaBank

Security checks across malware telemetry and agentic risk

Overview

KarmaBank is broadly a real USDC lending/wallet skill, but it exposes real-looking credentials and gives under-scoped access to financial wallet operations.

Review before installing. Use sandbox/test Circle credentials only, rotate or ignore the exposed Moltbook key, do not run the helper scripts that print or register secrets unless you understand them, and verify whether the product is truly zero-interest before using it for any real funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (45)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents access to environment variables and networked services such as Circle and Moltbook, but the manifest section does not declare corresponding permissions. This creates a transparency and trust problem: an agent or user may install the skill without understanding that it will read secrets from the environment and contact external APIs, increasing the chance of unintended secret exposure or unauthorized outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The public description frames the skill as a simple zero-interest borrowing tool, but the documented behavior extends to wallet administration, local ledger persistence, Circle secret handling, mock transfer behavior, and broad CLI management operations. This mismatch is dangerous because users may grant trust or run commands under a narrower mental model than the actual capability set, especially where financial operations and secret material are involved.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata promises zero-interest borrowing, but the submission repeatedly documents a 5% interest charge and additional late fees. This inconsistency can mislead users and downstream agents about financial terms, causing unauthorized or unexpected debt obligations in a lending context where accurate disclosures are safety-critical.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The metadata says loans are based on Moltbook karma score, but the submission expands eligibility to account age, activity diversity, X verification, and follower count. In a credit-allocation system, undisclosed scoring factors create deceptive behavior and can enable unfair, manipulable, or policy-noncompliant lending decisions by agents relying on the stated description.

Description-Behavior Mismatch

High
Confidence
87% confidence
Finding
The file performs Circle wallet-setup secret generation and encryption, which does not match the declared skill purpose of issuing USDC loans based on karma score. This mismatch is dangerous because users or agents may grant secrets, permissions, or network access under false assumptions, increasing the chance of unauthorized credential use or hidden operational behavior.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script documentation claims it generates a Circle entity secret, but the implementation only creates an RSA key pair and attempts registration. This mismatch can mislead operators into believing a secret was securely created or recovered when it was not, increasing the chance of broken setup, insecure manual handling, or accidental credential misuse in a financial workflow.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code sends the raw PEM public key as entitySecretCiphertext even though the comment says the secret should be encrypted with the public key. In a credential/bootstrap flow for a wallet provider, using the wrong artifact can break registration semantics, cause insecure manual fallback handling, and may expose sensitive onboarding data or create a false sense of secure key exchange.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads a sensitive Circle API key from the environment and logs part of it to the console, exposing credential material unnecessarily during a setup flow. Even partial secret disclosure can leak into terminal history, CI logs, screenshots, or support artifacts, and this capability is unrelated to the user-facing lending purpose described for the skill, which increases concern about unnecessary secret handling.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script prints the first 30 characters of the Circle API key to stdout. Even partial credential disclosure is sensitive because logs are often persisted, shared in CI/CD output, terminals, or support artifacts, and the exposed prefix materially aids key identification and accidental leakage. In a financial/lending context that manages wallet secrets, credential hygiene should be especially strict.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The script logs sensitive material during secret generation and registration, including the API key prefix and the full entity secret. Console output is commonly captured by shell history tools, CI logs, terminals, and observability systems, so exposing secrets there can lead to credential compromise.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This script uses privileged Circle credentials from environment variables to register an entity secret with an external wallet service, which is a sensitive administrative action. In the context of a skill described as issuing USDC loans based on karma score, this capability is not clearly necessary and expands the attack surface by enabling wallet/secret-management operations that could be abused if the script is invoked in an agent environment.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
This test script uses a production-style Circle API key to initialize a developer-controlled wallets client and exercise wallet-management-related functionality that is not necessary for the stated lending skill behavior. Even though it appears intended for debugging, embedding and invoking privileged financial API capabilities in a test script expands the attack surface and can expose sensitive operational functionality if the script is run in shared, CI, or agent-controlled environments.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This debug script reads a sensitive API credential from the environment and prints identifying details about it, including a partial prefix and whether it is a test or production key. Even partial disclosure of secrets and environment classification can aid attackers, especially in CI logs, shared terminals, screenshots, or support bundles. In the context of a lending skill that may control wallets and funds, exposing wallet API details is more dangerous because the credential likely grants access to financial infrastructure unrelated to mere local debugging.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The CLI registers a wallet-related command that is not disclosed in the skill description, creating a capability mismatch between documented and actual behavior. In an agent skill handling borrowing and repayment of USDC, hidden or undocumented wallet functionality is security-relevant because operators may grant trust or permissions based on incomplete understanding of exposed actions.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The top-of-file usage documentation omits the wallet command even though the executable CLI exposes it, which can mislead reviewers and users about the available functionality. While this is primarily a documentation integrity issue, in a financial tool it increases the risk that sensitive operations are overlooked during review, testing, or approval.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
When an agent's outstanding balance is fully repaid, the code sets the agent status to SUSPENDED instead of restoring or preserving a healthy post-repayment state. In a lending workflow this can wrongfully disable borrowers after successful repayment, causing denial of service, corrupted account state, and potentially blocking future legitimate borrowing or account actions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The storage API accepts an arbitrary filename and passes it directly into path.join before calling fs.unlinkSync, which allows path traversal such as '../' to target files outside the intended data directory. In a lending skill, file deletion is not inherently required beyond controlled application data management, so exposing a generic delete primitive increases the chance that attacker-controlled input elsewhere in the skill could delete local files or corrupt state.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The model exposes a destructive delete(id) operation that permanently removes loan ledger records. In a lending context, deleting financial records can erase audit trails, hide fraud/default history, and undermine repayment, compliance, and dispute resolution, especially if higher layers do not strictly restrict who can call it.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This is effectively the same issue as SDI-1: the component includes an unjustified record-deletion capability for a financial ledger. In a zero-interest credit system, preserving complete historical loan data is important for credit-tier decisions and abuse prevention, so deletion materially increases the risk of tampering and history laundering.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This service exposes portfolio-wide administrative operations such as listing all agents, viewing all loans, getting overdue-loan and aggregate statistics, and changing agent lifecycle state, even though the skill is described as a borrower-facing karma-based lending tool. If these methods are reachable by an agent or untrusted caller, they enable unauthorized visibility into other borrowers' financial data and unauthorized administrative actions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The service allows direct manual modification of an agent's credit score through updateCreditScore, which undermines the stated model of karma-based lending where creditworthiness should be derived from Moltbook karma. If abused, this could arbitrarily increase borrowing power, enable fraudulent loan issuance, or unfairly suppress an agent's access to credit.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The demo explicitly instructs users to place real Moltbook and Circle credentials into a local .env and describes Circle as optional for 'real USDC wallet integration', but it does not prominently warn that this moves the workflow out of demo mode into potentially real wallet and fund operations. In a financial skill, omission of a clear boundary between mock and real operations can cause unintended live transactions or exposure of sensitive financial credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow examples normalize use of the --yes flag for borrow and repay commands, which bypasses interactive confirmation for financial actions. Even in a CLI demo, encouraging non-interactive approval increases the chance that an agent or user will execute unintended loan or repayment actions without a final review step.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section provides a full end-to-end live workflow: writing real credentials, registering, creating a Circle wallet, borrowing based on real karma, and checking wallet balance, all without a prominent safety warning. In the context of a lending and wallet-management skill, these instructions materially increase the risk of unintended live asset operations and financial loss if copied blindly by an agent or user.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README documents use of a remote Moltbook API and passing a moltbookName identifier, but it does not clearly warn users that agent identifiers and possibly related reputation/profile data may be transmitted to a third party. This is a real privacy/security documentation issue because users may operate the tool under the assumption that scoring is purely local, especially since a mock fallback is also mentioned.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal