ClawHub
Back to skill

Security audit

Lean Proof To Solidity Smart Contract Generator

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for remote AgentPMT blockchain/formal-verification tooling, but it raises Review-level concern because it may send user code and raw private keys to hosted services without sufficiently clear upfront controls.

Review before installing. Use it only with code and artifacts you are comfortable sending to AgentPMT services, and do not provide production private keys. Prefer test accounts, throwaway keys, redacted payloads, or a safer secret-reference mechanism if available.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill repeatedly instructs agents to submit Lean source, Solidity text, ABI data, and simulation payloads to AgentPMT-hosted remote endpoints, but the front matter and early description do not clearly and prominently disclose that user-supplied code and task data leave the local environment. This can cause unintended transmission of sensitive source code, proprietary contract logic, or confidential build artifacts to a third-party service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The schema explicitly accepts `fromPrivateKeyHex`, encouraging users or upstream agents to pass raw private keys into a remote tool call. Even if intended only for local simulation, exposing secret-key material as a normal string parameter creates a high risk of credential leakage through logs, traces, task history, telemetry, or accidental reuse in non-simulation contexts.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal