Back to skill

Security audit

Genlayer Claw Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only GenLayer explainer skill; its blockchain examples need care but the skill itself does not execute code or request sensitive access.

Safe to install as educational reference material. Treat the LLM, web-fetch, staking, escrow, dispute-resolution, and treasury examples as conceptual; production use should add privacy controls, validated data sources, bounded model outputs, human or governance approval for valuable actions, timelocks or circuit breakers, and independent smart-contract security review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide shows direct use of `gl.web.fetch` to send contract-controlled data to an external URL without warning that request contents may leave the blockchain environment and be exposed to third parties. In a smart-contract developer guide, this omission can lead developers to unintentionally transmit sensitive inputs, rely on untrusted off-chain data, or assume privacy properties that do not exist.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The withdrawal instructions describe how to exit and claim stake but do not place an explicit warning near the procedure that funds are illiquid during the 7-epoch unbonding period and may still be reduced by slashing or operational issues before claim. In a staking workflow, omission of these risk disclosures can mislead users into treating exit as routine and low-risk, increasing the chance of financial loss from misunderstanding timing and protocol behavior.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples show AI-driven escrow release, dispute payouts, and treasury rebalancing that can directly move funds or alter financial positions without emphasizing safeguards, human review, bounds checking, or failure handling. In a blockchain smart-contract context, presenting autonomous value-moving patterns without warnings or control mechanisms can encourage unsafe implementations where subjective or externally influenced AI outputs trigger irreversible on-chain actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.