ClawHub

问道 Agent SDK

Security checks across malware telemetry and agentic risk

Overview

This is a real blockchain game automation skill, but users should review it carefully because it controls a wallet and can automatically spend tokens despite some documentation describing it as gas-only.

Install only if you intend to run an automated on-chain agent. Use a dedicated low-balance agent wallet, avoid passing private keys with --key, keep only the BNB and $JW you are willing to risk, choose defensive or a custom no-PK strategy if you do not want token-spending PK, and revoke the agent wallet authorization when you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README makes a materially misleading safety claim that the agent can only perform zero-cost actions and only spends gas, while other sections explicitly describe PK flows that require approve/deposit operations and can spend $JW from the agent wallet. This can cause users to fund and authorize the agent under false assumptions about financial exposure, increasing the chance of unintended token loss.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The PK flow approves tokens and calls depositPK before verifying that apiUrl and JWT are present, even though the subsequent matchmaking/resolve step depends on them. This can lock user funds on-chain in a PK state that cannot be progressed automatically, creating avoidable loss of availability and operational risk until manual recovery or timeout cancellation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes autonomous on-chain actions, including optional PK and breakthrough behavior, without an upfront warning that the agent may initiate transactions, consume gas, and potentially spend tokens depending on configuration. In this context, users may treat the skill as a harmless automation helper when it is actually capable of repeated financial actions on-chain.

Missing User Warnings

High
Confidence
99% confidence
Finding
Passing a private key directly via the --key command-line flag exposes sensitive material to shell history, process listings, terminal logging, and monitoring tools. Because this skill controls a blockchain agent wallet, disclosure of the key allows an attacker to take over the agent wallet, spend its funds, and perform any contract actions permitted to the bound agent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to run an autonomous on-chain agent that signs transactions and spends gas, but it does not clearly warn that the agent will continuously execute blockchain actions using a supplied private key. In a wallet-integrated automation context, lack of explicit disclosure meaningfully increases the risk of users authorizing unintended spending, unexpected transaction volume, or misuse if they misunderstand the agent's permissions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The startup example passes a private key directly on the command line, which is dangerous because command-line arguments can be exposed via shell history, process listings, logs, crash reports, and remote session tooling. This creates a direct path to wallet compromise, especially for a blockchain automation tool where possession of the key enables immediate transaction signing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The agent's start loop autonomously performs state-changing blockchain actions such as level up, SP distribution, breakthrough, meditation control, PK cancellation, approvals, deposits, and settlements without interactive confirmation. In a wallet-controlling agent, this is dangerous because a strategy bug, misconfiguration, malicious dependency, or compromised API can trigger irreversible transactions and token movements repeatedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The class persists behavior-derived Merkle leaves to a local file whenever a persistence path is configured, but there is no consent, notice, minimization, or protection around that storage. Even though only hashed leaves are stored, the hashes represent user or agent behavior records and can create privacy, retention, and correlation risks, especially if the file path points to shared or insecure storage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code writes a Merkle root derived from behavioral logs to an on-chain contract without any user-facing disclosure or consent checks. Publishing behavior-derived state on-chain is especially sensitive because blockchain records are durable and broadly observable; even if raw logs are not posted, the immutable commitment can still create compliance, auditability, and unwanted tracking risks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal