ClawHub

AI Agent Lending - Wallet Credit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent crypto lending skill, but it asks users or agents to grant persistent wallet permissions and perform financial blockchain transactions without enough safety boundaries.

Review carefully before installing. Use only a wallet and funds you can risk, verify the API provider and contract addresses independently, prefer short-lived and low-limit permissions instead of never-expiring permissions, and manually inspect every wallet transaction before signing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill provides step-by-step instructions for borrowing, approving token spending, and repaying via smart contracts, but it does not clearly warn users that these actions are real on-chain financial transactions that may be irreversible, incur fees, or expose funds to protocol/contract risk. In a lending skill, this omission materially increases the chance that an agent or operator executes transactions without informed consent or adequate human review.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation instructs users to submit wallet addresses to an external API endpoint and references leaderboard lookups, but it does not disclose that wallet addresses and related activity may be logged, correlated, or publicly exposed. While wallet addresses are pseudonymous, linking them to an agent, credit profile, or usage history can create privacy and profiling risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal