ClawHub

Towns Protocol Skills

Security checks across malware telemetry and agentic risk

Overview

This is a coherent documentation skill for building Towns Protocol bots, with sensitive bot credentials and blockchain actions disclosed as part of that purpose.

Install only if you intend to build or operate a Towns bot. Treat APP_PRIVATE_DATA, JWT_SECRET, RPC keys, and any funded gas wallet as production secrets; do not commit them, keep bot permissions and funds minimal, redact or disable message-body logs outside local development, and revoke webhooks or rotate secrets when the bot is retired.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The documentation lists highly sensitive variables such as `APP_PRIVATE_DATA`, `JWT_SECRET`, and RPC credentials without any adjacent warning about secret handling, storage, rotation, or prohibition on committing them. In a bot-development skill, users often copy-paste setup blocks directly, so omission of secret-safety guidance materially increases the chance of credential leakage, webhook forgery, or takeover of bot-associated blockchain operations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The debugging guidance logs `event.message` content directly, which can capture private user messages, mentions, secrets, tokens, or other sensitive chat content in application logs. In a bot framework context, developers may copy this example into production or shared staging environments, creating unnecessary retention and exposure of user data without any warning, redaction, or environment guard.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal