ClawHub

ghostbot-uniswap-v4

Security checks across malware telemetry and agentic risk

Overview

This Sepolia DeFi skill appears purpose-aligned, but it asks for a wallet private key and can send blockchain transactions with weak user safeguards.

Install only after review. Use a throwaway Sepolia wallet, never a mainnet or valuable private key. Treat add-liquidity and post-signal as real wallet-signed transactions: verify the RPC network, wallet address, contract addresses, token amounts, approvals, tick range, autoRebalance setting, and slippage implications before running them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The architecture diagram contains unrelated shell/project commands (`cd packages/video`, `pnpm run studio`) embedded in the request flow, which can mislead an agent or user into executing commands unrelated to the GhostBot workflow. In an agent skill, contradictory operational instructions are dangerous because they blur trusted execution paths and can trigger unintended local actions outside the stated blockchain interaction model.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs an unexpected state-changing action beyond its stated purpose: if balances are low, it invokes ERC20 mint on both tokens before adding liquidity. In a DeFi/LP management skill, silently minting assets changes the trust model and can be dangerous if pointed at privileged test tokens, misconfigured contracts, or if users assume the script only manages existing funds; it can also mask insufficient-funds conditions that should halt execution.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation description is broad enough to activate the skill for general DeFi or AMM discussions, even when no concrete GhostBot action is needed. Over-broad routing increases the chance that an agent enters a tool-capable skill context unnecessarily, exposing users to irrelevant wallet-affecting commands or misleading operational guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The add-liquidity instructions describe a state-changing blockchain operation but do not clearly warn that running the command will submit live on-chain transactions from the configured wallet, including mint/approve/add-liquidity actions. In an agent setting, omission of an explicit transaction warning can cause users or autonomous systems to perform unintended writes, spend gas, or alter wallet state without informed consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The oracle posting command can modify oracle state and directly influence automated rebalancing or dynamic fee behavior, yet the skill does not present a prominent warning about its operational impact. Because these signals can steer automated trading logic, unclear framing materially increases the risk of accidental market-affecting writes or misuse by a user who does not understand the consequences.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The addLiquidity call sets amount0Min and amount1Min to 0, removing slippage protection entirely. In a concentrated liquidity manager context, this exposes users to adverse execution, price movement, sandwiching, or depositing under materially worse conditions than expected, especially because the skill is intended for automated pool management from chat.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal