ClawHub

Bankofbots

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed finance skill, but it gives an agent broad real-money wallet, loan, treasury, and command-queue authority that should be reviewed before use.

Install only for agents you intentionally trust with BOB account access, wallet signing, treasury transfers, loans, and API-key or webhook administration. Verify the separate bob CLI and checksums, tightly scope BOB_API_KEY, avoid automatic heartbeat inbox processing for privileged commands, and require explicit human approval for transfers, wallet sweeps, loan acceptance or repayment, webhook changes, and API-key changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The documented treasury commands introduce active fund movement and multi-owner Safe operations that go beyond the stated 'non-custodial' trust/credit positioning. Even if BOB does not directly custody funds, exposing transfer, signing, and submission workflows materially expands the skill's authority surface and can mislead integrators about the operational risk of enabling the skill.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to run `bob inbox check` during generic heartbeat or periodic check-ins, which can turn a routine liveness trigger into active command processing. That widens the set of contexts in which operator-issued actions may execute and increases the chance of unintended money movement or other sensitive state changes without an explicit, task-scoped invocation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section operationalizes treasury deployment and transfer workflows for a spending-enabled agent but does not place a prominent safety warning or confirmation expectation immediately adjacent to the spending commands. In a skill that manages real wallets, Safe transactions, and USDC transfers, omission of strong friction and explicit authorization language materially increases the risk of accidental or over-broad autonomous fund movement.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The loan workflow states that accepting terms funds USDC automatically and that repayment signs and broadcasts an on-chain USDC transfer, but the section lacks a strong, front-loaded warning that these commands cause irreversible real-money blockchain actions. In the context of agent automation, this can lead to accidental borrowing, debt acceptance, or repayment without informed approval.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The wallet sweep command can move funds out of an agent wallet and is explicitly destructive, yet the reference provides only a minimal '--yes' confirmation with no strong warning, preview requirements, or recipient-validation guidance. In an agentic commerce context handling treasury and loan flows, insufficient safeguards around asset-draining operations materially increase the chance of operator error or unsafe automation causing irreversible fund loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal