ClawHub

KarmaBank

Security checks across malware telemetry and agentic risk

Overview

KarmaBank matches its stated USDC lending purpose, but it handles wallet funds and loan records with weak safeguards that need review before installation.

Review before installing, especially if you might connect real Circle credentials or funded wallets. Use mock or isolated testnet accounts first, treat local ledger files and CLI output as sensitive, and do not rely on this for production lending until failed transfers fail closed, repayments are reconciled, admin operations are authorized and audited, and the documentation clearly separates demo from real-money behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code returns `success: true` and a fabricated transaction ID when Circle API operations fail, causing the system to record a loan disbursement as completed even though no on-chain transfer occurred. In a lending workflow, this breaks financial integrity, can trigger incorrect accounting or credit state transitions, and may allow agents to be marked as funded or repaid based on nonexistent transactions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The repayment path also fabricates a successful result on transfer failure, directly conflicting with the function's stated purpose of receiving repayment. This can cause the platform to mark debts as repaid without funds being received, leading to loss of principal, inaccurate ledgers, and abuse by borrowers if failures are induced or simply ignored.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The repayment handler ignores the supplied repayment amount and unconditionally marks the loan as fully repaid. In a lending workflow, this allows partial or even invalid repayments to close a debt record, causing inaccurate balances, broken accounting, and possible financial loss if downstream logic trusts loan status.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
When an agent's outstanding balance reaches zero, the code sets the agent status to SUSPENDED, which is the opposite of expected lending behavior. This can lock out agents who successfully repay, creating denial of service against legitimate users and corrupting trust/eligibility state in a credit system.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The ledger exposes a permanent delete operation for loan records, which can erase evidence of debts, defaults, or repayment history. In a lending/credit system, allowing destructive removal of financial records undermines auditability and can enable fraud, dispute evasion, or manipulation of an agent's credit standing.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The service includes portfolio-wide administrative operations such as listing all agents, listing all loans, retrieving overdue loans, and aggregate loan statistics, which exceed the borrower-centric functionality described in the skill metadata. If these methods are reachable by an agent or exposed through tool wrappers, they enable unnecessary cross-tenant visibility into other agents' financial activity and expand the attack surface for abuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code allows arbitrary mutation of an agent's credit score and status via updateCreditScore, suspendAgent, and reactivateAgent with no authentication, authorization, approval workflow, or provenance checks shown. In a lending system, these controls directly govern borrowing eligibility, so misuse could unfairly deny service, restore blocked borrowers, or manipulate creditworthiness to obtain funds fraudulently.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The service exposes bulk enumeration methods for all agents and loans, including optional status filters, without any visible access control or data minimization. In the context of a borrower-focused credit skill, this creates unnecessary access to other users' sensitive lending metadata and can facilitate profiling, targeting, or broader abuse of the system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to register agents, create wallets, and borrow USDC, and references real external services like Circle and Moltbook, but does not clearly warn that these actions may create external accounts, invoke financial operations, or require handling sensitive API credentials. Even if framed around testnet usage, the absence of explicit safety and environment warnings increases the risk of unintended financial actions, credential misuse, or user confusion about whether operations affect real services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to configure highly sensitive Circle credentials and manage a lending pool wallet, but does not provide an explicit warning about secret handling, wallet control risk, or possible financial loss. In a financial skill, omission of these warnings increases the chance that operators expose credentials insecurely or underestimate the consequences of granting the skill wallet-management access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The borrow and wallet workflow presents fund-moving and obligation-creating commands as routine CLI steps without a clear user-facing warning about blockchain transfers, persistent ledger effects, and repayment liability. In this context, users may trigger real or simulated financial actions with insufficient awareness, especially when '--yes' enables non-interactive approval and the skill can integrate with live wallet infrastructure.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal