ClawHub

Mamo

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed DeFi CLI that can sign real Base-chain transactions with a wallet key, so it is high-impact but not hidden or off-purpose.

Install only if you are comfortable giving this CLI a dedicated hot-wallet private key that can approve token spends and sign real Base mainnet transactions. Use limited funds, prefer dry-run first, review create/deposit/withdraw commands carefully, and be aware that status/APY features may share your wallet address with Mamo/Moonwell services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill requires access to environment variables and networked services, including a wallet private key and RPC/API endpoints, but does not declare those permissions up front. That creates a transparency and trust problem: users may invoke a DeFi skill that can read sensitive secrets and perform remote interactions without an explicit permission boundary. In this context, the risk is elevated because the env var contains a blockchain private key and network actions can initiate financially meaningful transactions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill description presents a relatively narrow DeFi interaction surface, but the observed behavior expands beyond that into contract deployment, filesystem persistence, external price lookups, and backend onboarding/auth flows. This mismatch is dangerous because users may consent to a simple portfolio-management skill without realizing it can create on-chain state, store auth data locally, and communicate with third-party services, all of which increase financial, privacy, and integrity risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill implements on-chain strategy creation, but that capability is not reflected in the stated skill purpose. This is dangerous because users or orchestration layers may believe the tool only deposits/withdraws/checks status, while it can also deploy new contracts and initiate additional on-chain actions with the user's private key.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The file contains a full SIWE authentication flow that signs a message and sends it to a remote API, but this behavior is not represented in the manifest purpose. Hidden authentication/network behaviors are risky because they cause the skill to handle identity proofs and transmit wallet-linked auth material in ways a user may not expect.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The main command handler states that auth is not needed and does not execute the implemented auth workflow, even though the file includes a full auth command. This inconsistency is dangerous because it obscures real capabilities and can mislead reviewers or users about whether remote authentication and signature handling exist in the codebase.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file implements on-chain creation of new strategies via `createStrategyForUser`, which exceeds the declared skill scope of deposit/withdraw/check operations. This scope expansion is dangerous because agent users may grant trust or approval based on the manifest, while the code can trigger a materially different blockchain action that deploys contracts and consumes gas.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest says the skill is for depositing, withdrawing, and checking APY/account status, but the CLI also exposes a create command that performs on-chain strategy creation. This scope mismatch is dangerous because an agent or user may invoke a state-changing blockchain operation that was not disclosed in the advertised capabilities, increasing the chance of unintended contract deployment/initialization and reducing informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to write a wallet private key into a local .env file, which stores a highly sensitive secret in plaintext on disk. In a DeFi CLI that signs mainnet transactions and manages real funds, this increases the risk of accidental exposure through shell history, backups, screenshots, malware, or mistaken file commits despite the nearby advice not to commit secrets.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The auth flow stores sensitive wallet-linked authentication material, including the SIWE message and signature, in a local file under the user's home directory without an explicit warning. If the local machine, backups, or file permissions are weak, this material can be exfiltrated and reused within its validity window or expose unnecessary account-identifying data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The help text mentions a required private key but does not prominently warn that commands perform real on-chain transactions, approvals, withdrawals, and strategy creation. In a skill context, insufficient disclosure increases the chance of accidental asset movement or risky approval flows by users who interpret the tool as read-only or informational.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
`MamoError.toJSON()` serializes the arbitrary `details` field without redaction or allowlisting. In this file, several error types place runtime values into `details` (for example environment variable names, owner addresses, balances, transaction hashes, and API context), and future callers could also attach more sensitive objects; if these errors are returned to clients or logged to shared systems, internal or sensitive data may be exposed unintentionally.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code stores authentication data directly in a JSON file under the user's home directory with default filesystem permissions and no protection such as OS keychain storage, encryption, or explicit permission hardening. If the token grants access to DeFi actions or account APIs, local compromise, backup leakage, or multi-user system access could expose credentials and enable unauthorized account activity.

Session Persistence

Medium
Category
Rogue Agent
Content
## Commands

```bash
# Create a yield strategy (deploys your personal strategy contract via on-chain factory)
node mamo.mjs create usdc_stablecoin
node mamo.mjs create cbbtc_lending
node mamo.mjs create eth_lending
Confidence
77% confidence
Finding
Create a yield strategy (deploys your personal strategy contract via on-chain factory) node mamo.mjs create usdc_stablecoin node mamo.mjs create cbbtc_lending node mamo.mjs create eth_lending # Depos

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal