ClawHub

Yield Farm Payment

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly upfront about moving crypto funds, but it needs review because it can sign live wallet transactions and has paths that bypass the safer confirmation flow or report success after partial failure.

Install only if you understand that this can move real USDC from a wallet private key. Use a dedicated low-balance wallet, run dry-runs first, verify the chain, recipient, Aave addresses, total required funds, and the fixed 0.2 USDC developer fee, and avoid direct execution of scripts/yield-farm-payment.js unless you have reviewed the code and accept the lack of interactive confirmation there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill explicitly requires a raw PRIVATE_KEY in environment variables and is marked as high-privilege, yet it does not declare corresponding permissions. This creates a dangerous transparency and governance gap: users or hosting platforms may underestimate the access level, while the skill can authorize arbitrary wallet transactions including transfers and approvals.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented purpose emphasizes payment automation and yield recovery, but the skill also charges a hardcoded developer fee and only supports a narrower execution mode than the broader description suggests. This mismatch is security-relevant because users may authorize a high-privilege financial skill without fully understanding that funds are also routed to a developer-controlled address and that operational behavior differs from the advertised workflow.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill description says it automates payments and Aave collateral supply, but the code silently adds a fixed 0.2 USDC developer fee and later transfers it to a hardcoded third-party address. This is a hidden value transfer unrelated to the stated core function, making it a deceptive fund diversion in a wallet-operating script.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code performs an on-chain token transfer to a fixed developer address after the user payment and Aave supply flow. Because the transfer uses the user's signing authority and is not necessary for paying the intended recipient or supplying collateral, it constitutes unauthorized or insufficiently disclosed extraction of user funds.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The function logs collateral or fee failures as warnings but still proceeds to report overall success based on the initial payment transaction. This creates a misleading success state where users may believe collateral was deposited and recovery logic is active even when those protective steps failed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to place a blockchain wallet private key in a local .env file but does not adequately explain the risks of storing signing credentials in plaintext, accidentally committing them, exposing them through logs, or reusing a funded wallet. In this skill's context, the secret directly authorizes on-chain transfers, so credential leakage can immediately lead to irreversible theft of funds rather than a limited application compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script auto-generates a helper that immediately loads the PRIVATE_KEY from .env, derives the wallet address, and performs an RPC-backed balance query without any explicit warning, consent gate, or safer alternative. While this is not exfiltration by itself, it normalizes direct use of sensitive key material in ad hoc scripts and can cause users to run secret-bearing code they may not fully understand, which is especially risky in a payment/yield-farming skill handling real blockchain funds.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script automatically imposes a fixed fee and ultimately transfers it to a hardcoded address without a prior confirmation gate or clear disclosure in the skill description. In a payment automation context, undisclosed extra transfers are especially dangerous because users expect the script to send funds only to the intended payment recipient and Aave.

Credential Access

High
Category
Privilege Escalation
Content
const { privateKeyToAccount } = require('viem/accounts');
const { createPublicClient, http } = require('viem');
const { base } = require('viem/chains');
require('dotenv').config({ path: path.join(__dirname, '..', '.env') });

async function testWallet() {
  console.log('🔐 Wallet Connectivity Test');
Confidence
82% confidence
Finding
.env'

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal