ClawHub

Genlayer Dev Claw Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only GenLayer developer skill whose higher-risk examples are disclosed and aligned with smart-contract development, but users should handle external AI/web calls, keys, and blockchain writes carefully.

Install if you want GenLayer development guidance, but review generated commands before running them. Do not paste real private keys into shells, do not send secrets or personal data to LLM/web-render examples, use localnet or testnet first, verify the active network/account before deploy or write operations, and prefer pinned dependencies and safer APIs for production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill includes runnable examples that send user-provided text to an LLM and fetch arbitrary URLs, but it does not prominently warn that these operations transmit data to external services and may expose sensitive information. In a developer-facing skill, omission of privacy and data-handling guidance can lead users to unintentionally process secrets, personal data, or internal URLs through third-party systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This documentation includes examples that fetch live web content and send it into prompt-based processing without any warning that page contents may be transmitted to external model or network services. In a developer-facing examples file, that omission can lead users to unknowingly process sensitive or regulated data through third-party systems, creating privacy, compliance, and data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The embeddings example encourages storing and semantically indexing arbitrary log text but does not warn that logs often contain secrets, personal data, tokens, or internal business information. Semantic indexing can make sensitive data easier to retrieve and correlate, and embedding generation may also transmit that data to external components depending on implementation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation exposes `gl.vm.run_nondet_unsafe` and notes only that it lacks sandbox protection and that validator errors cause disagreement, but it does not clearly warn that this weakens isolation and can turn validator-side logic into a denial-of-service or safety issue if used with untrusted inputs or error-prone code. In an SDK API reference, developers may copy the example or select the unsafe variant for performance without fully understanding the trust and failure-model implications, increasing the chance of insecure contract designs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal