ClawHub

ATXSwap

Security checks across malware telemetry and agentic risk

Overview

ATXSwap is a disclosed wallet and DeFi trading skill, but it needs Review because it can move real funds and its publish notes tell users to bypass registry warnings.

Only install after reviewing the source and dependency trust path yourself; do not treat the package's --force instruction as proof that warnings are harmless. Use a low-balance dedicated wallet, verify every preview before confirming any write, avoid passing passwords on the command line, and store exported encrypted keystores only in a secure local location.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The export command can emit the wallet keystore either directly to stdout or write it to any attacker-controlled filesystem path via --out. In an agent setting, this materially increases secret-exfiltration risk because a prompt-injected or confused workflow could cause the agent to dump wallet material into logs, chat output, or an arbitrary file location outside the expected keystore directory.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The publish notes explicitly preempt and dismiss the registry's security warning, then instruct users to install the skill with `--force`. That undermines a protective control and conditions users to bypass risk signals for a skill that handles wallets, transfers, swaps, and external APIs, increasing the chance that malicious or unsafe behavior is installed despite warnings.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The burn command directly invokes `client.liquidity.burnPosition(wallet, BigInt(tokenId))` after only checking that a tokenId was provided, with no interactive confirmation, dry-run, or ownership/state preview. In a wallet-management skill for live DeFi positions, this creates a real risk of irreversible user loss through accidental invocation, mistaken tokenId selection, or agent/user misunderstanding, especially since burning LP position NFTs is destructive once the position is empty.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script performs real on-chain asset transfers immediately after parsing CLI arguments, with no confirmation prompt, recipient checksum/display verification, or transaction preview. In a wallet-management skill, that creates a meaningful risk of accidental irreversible transfers caused by user error, prompt/argument confusion, or downstream agent misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When --out is supplied, the keystore is written directly to disk with no user-facing warning about the sensitivity of the data, increasing the chance it is stored insecurely, synced, or later exposed. Although the keystore is encrypted, possession of the file materially aids offline password-guessing and credential theft workflows, especially in agent or shared-host environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal