ClawHub

Dapp

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to be an instruction-only Web3 research assistant with no code, install steps, credentials, or transaction authority disclosed.

This skill looks benign from the provided artifacts. Before using it for real investments, remember that it is an analysis aid, not a professional audit or financial adviser. Do not share seed phrases, private keys, exchange passwords, or other credentials, and independently verify any contract-risk or investment conclusions before acting.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI09: Human-Agent Trust Exploitation
Info
What this means

Users may make investment or protocol-use decisions based on the skill's analysis, so inaccurate conclusions could have financial consequences.

Why it was flagged

The skill is framed around financially consequential decisions, which could lead users to over-rely on its analysis if they do not independently verify results.

Skill content
helps Web3 users and investors make faster and better-informed decisions in a market where information advantage measured in hours translates directly into financial outcomes
Recommendation

Use this as a research aid only; verify important findings with primary sources, professional audits, and independent financial judgment before committing funds.

#
ASI06: Memory and Context Poisoning
Low
What this means

Sharing wallet addresses or portfolio details with the agent may reveal financial interests, holdings, and trading patterns in the conversation context.

Why it was flagged

Portfolio positions and wallet activity can be sensitive financial context, even when sourced from public blockchains.

Skill content
monitors your portfolio positions across DeFi protocols
Recommendation

Only provide wallet or portfolio information you are comfortable sharing with the agent, and avoid supplying private keys, seed phrases, exchange logins, or other credentials.