ClawHub

SUIROLL

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Sui giveaway CLI, but it needs review because it can sign real blockchain transactions and stores Moltbook API credentials locally in plaintext.

Review before installing. Use testnet first, use a dedicated low-value Sui wallet rather than a main wallet, avoid storing or entering secrets in shared or recorded terminals, and delete ~/.config/suiroll/moltbook-session.json when done if you do not want the Moltbook API key retained. Before any mainnet use, verify the network, package and registry IDs, prize amount, gas budget, and transaction target because signed blockchain actions may be irreversible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and instructs use of environment variables and networked blockchain/API operations, but the metadata does not declare corresponding permissions. This creates a transparency and consent gap: an agent or user may invoke a skill that can access secrets and external services without the expected permission disclosure.

Description-Behavior Mismatch

Low
Confidence
93% confidence
Finding
The command persists a Moltbook API key and agent metadata to a local JSON session file, which creates a credential-at-rest risk not obvious from a simple giveaway-entry workflow. If the file is readable by other local users, included in backups, or exposed by malware, the API key can be reused to impersonate the agent against the Moltbook service.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Reading and writing a cached session from ~/.config/suiroll expands the skill's trust boundary from blockchain interaction into local credential storage. While filesystem access itself is not inherently malicious, here it handles authentication material for convenience and therefore increases exposure to local compromise, accidental disclosure, and persistence beyond the user's expectation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This utility reads signing key material from an environment variable and, if absent, generates a fresh blockchain keypair and prints the private key to stdout. In an agent skill context, this is dangerous because logs may be captured by hosts, telemetry, or other tooling, causing immediate wallet compromise, and the ability to autonomously create/use signing keys exceeds a simple giveaway-helper utility's expected trust boundary.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The utility function directly accesses a blockchain private key from environment variables and returns a usable signing keypair. While key handling is expected in a Sui-integrated giveaway tool, this implementation also generates a fallback keypair automatically, which increases the chance of unintended signing with an unmanaged credential and weakens operator awareness about key provenance.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The code comments imply keypair generation is limited to development, but the function will generate a new key whenever no environment key is present, regardless of runtime context. This can cause silent misconfiguration, accidental use of ephemeral accounts, and operational mistakes in environments where a persistent funded key is expected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to place a Sui wallet private key and API credentials into environment variables but provides no warning about the sensitivity of those secrets, the risks of shell history/process exposure, or secure storage practices. In the context of a blockchain giveaway tool, compromise of the wallet key could directly enable unauthorized transactions and loss of funds, while leaked API keys could enable account abuse or impersonation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation tells users to export a private signing key directly into the shell environment without a prominent warning about key theft, shell history/process exposure, or the consequences of compromise. Because this key authorizes on-chain transactions, accidental disclosure can lead to irreversible loss of funds or unauthorized blockchain actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start flow demonstrates creating and drawing lotteries on testnet/mainnet-capable commands without a clear warning that mainnet operations move real assets and submit irreversible on-chain transactions. In a blockchain skill, omission of transaction-risk disclosure increases the chance of users triggering costly or asset-affecting actions unintentionally.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code writes the Moltbook API key directly to a local session file without encryption, permission hardening, or an explicit warning to the user. Plaintext API key persistence is dangerous because anyone or anything with access to that file can extract the key and authenticate as the victim agent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The interactive login prompts for an API key using standard readline, which echoes the secret back to the terminal as the user types. This can expose the credential to shoulder surfing, terminal recording, shared-session logs, or command-capture tooling, which is especially relevant in CLI and agent environments where sessions may be monitored.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The helper unconditionally builds, signs, and submits any provided transaction using the private key from the environment, with no confirmation, policy check, or transaction inspection step. In an agent skill context, this is dangerous because upstream prompts, tools, or compromised code paths could trigger real on-chain actions automatically, causing unintended asset transfers or contract interactions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code persists the Moltbook API key and agent metadata to a local JSON session file in plaintext without warning the user, encryption, or explicit file-permission hardening. If the host is multi-user, compromised, or its home directory is backed up/synced insecurely, the credential can be recovered and reused to impersonate the agent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The interactive flow asks the user for a sensitive Moltbook API key and then saves it locally after authentication, but provides no warning or consent prompt about credential persistence. This increases the chance users unknowingly leave long-lived secrets on disk where they may be exposed through local access, malware, logs, backups, or misconfigured permissions.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
When no configured key is present, the function logs the newly generated private key to console, which is a direct secret disclosure. Console output is commonly captured by CI systems, container logs, process managers, and monitoring platforms, so anyone with log access could steal the credential and use associated funds or identities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The interactive login reads the Moltbook API key using standard terminal input, so the secret is echoed on screen and may also be captured in screen recordings, terminal logging, shoulder-surfing, or shared-session environments. Because this skill handles authentication for AI agents, exposing the API key can let an attacker mint identity tokens and impersonate the agent to external services.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to place sensitive secrets such as `SUI_PRIVATE_KEY` and `MOLTBOOK_API_KEY` directly into shell environment variables without any handling or secrecy guidance. In agent, shared-shell, CI, or logged-session contexts, environment variables are often exposed through shell history, process inspection, crash reports, or downstream tool output, which can lead to account compromise and unauthorized blockchain transactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly promotes mainnet use where real funds are at risk but does not require users to verify network, contract deployment, recipient addresses, gas settings, or transaction details before signing. In a blockchain skill, omissions around transaction verification materially increase the chance of irreversible fund loss from misconfiguration, phishing, or interacting with the wrong contract/network.

Session Persistence

Medium
Category
Rogue Agent
Content
return null;
}
/**
 * Save session to file
 */
async function saveSession(apiKey, agent) {
    try {
Confidence
88% confidence
Finding
Save session to file

Session Persistence

Medium
Category
Rogue Agent
Content
}

/**
 * Save session to file
 */
async function saveSession(apiKey: string, agent: MoltbookAgent): Promise<void> {
  try {
Confidence
94% confidence
Finding
Save session to file

Session Persistence

Medium
Category
Rogue Agent
Content
import { executeTransaction } from '../utils/signer.js';

/**
 * Load saved session from file
 */
async function loadSession(): Promise<{ apiKey: string; agent: MoltbookAgent } | null> {
  try {
Confidence
91% confidence
Finding
Load saved session

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal