ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed smart-contract assistant that uses Pentagonal tools or API calls for token lookup, contract generation, audits, and deployment guidance; users should still treat outputs as financial-risk code.

Install only if you trust Pentagonal to process token addresses, prompts, and any contract code you submit. Do not paste private keys into chat, keep wallet keys in your own secure tooling, test on testnets first, and get independent review before deploying contracts that will control real value.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
96% confidence
Finding
The skill description is extremely broad: it triggers on common verbs like create, generate, build, audit, fix, compile, or look up smart contracts and tokens. In an agent environment, this can cause the skill to activate for many loosely related user requests, increasing the chance that external-network actions or contract-generation workflows are invoked without sufficiently specific user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to send contract addresses, chain identifiers, and optionally an API key to an external service, but it does not require an explicit user-facing warning or consent step before transmission. This creates a privacy and data-governance risk, especially in environments where user queries, proprietary contract addresses, or organization-linked API credentials should not be sent off-platform by default.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal