ClawHub

The Flip

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Solana devnet jackpot game, but it needs Review because it implicitly reads a local Solana keypair and can submit fund-moving or admin transactions without strong confirmations.

Install only if you are comfortable with a skill that can read a Solana keypair file and sign devnet transactions. Use a dedicated devnet wallet with no real assets, review commands before running them, avoid the curl-piped installer unless you trust and verify it, and do not run withdraw-fees or close-game-v1 unless you understand the operator authority and irreversible effects.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill invokes networked resources and can access environment-dependent execution context, but it does not declare permissions or capabilities to the user. That weakens consent and review, because users and platforms cannot accurately understand what the skill may do before running it.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a simple jackpot game, but the associated behavior includes privileged authority actions such as withdrawing operator fees and closing old game state. Even if these actions are legitimate for administration, omitting them from the description creates a trust and transparency gap that can mislead users about who controls funds and lifecycle operations.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script exposes privileged operator workflows such as initialization, fee withdrawal, and migration/closure in a demo tool described primarily as a player-facing game interface. This creates a security and trust mismatch: users running the skill may unknowingly invoke or rely on admin-capable functionality, and the broader surface area increases the chance of accidental misuse or abuse if the operator wallet is present.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script includes a direct fee-withdrawal path that can move funds from the game vault to the authority token account, but this capability is not disclosed in the user-facing skill description. Even if legitimate for operations, hidden or underexplained fund-movement logic is dangerous because it can surprise users, normalize opaque fund extraction, and cause accidental execution with a loaded privileged wallet.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The game-closing migration command performs an administrative lifecycle action unrelated to normal gameplay, yet it is bundled into the same demo script. Closure or migration operations are sensitive because they can permanently alter account state, disrupt service, or interfere with user expectations if run accidentally or by someone holding the authority wallet.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill markets itself as a pure jackpot coin-flip game, but the IDL explicitly exposes an authority-only `withdraw_fees` instruction and tracks an `operator_pool`. That creates a disclosure/integrity issue: users may believe all entry funds feed the jackpot when some portion can be extracted by the operator, which is especially risky in a gambling-style financial application.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The program includes an authority-only `close_game_v1` path that can zero out and reclaim the game PDA at any time, which conflicts with the expected behavior of an ongoing jackpot game. Even if it does not directly transfer vault tokens, wiping core state can permanently disrupt claims, invalidate tickets, and strand funds by destroying the metadata needed to operate or settle the game.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
`close_game_v1` gives the authority unilateral power to wipe program state by draining lamports and zeroing account data, with no checks for outstanding tickets, active jackpot balance, or migration status. In a wagering/jackpot context this is especially dangerous because users rely on the continuity of game state to verify rounds and claim winnings.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to run a command that uses a local Solana keypair file and performs an on-chain `enter` action that spends USDC, but it does not clearly warn that this will sign a transaction and transfer funds. In an agent/skill context, users may copy-paste commands without realizing they are authorizing value transfer from their wallet, increasing the risk of unintended spending.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The entry command causes the user to spend 1 USDC from their wallet, but the command documentation does not present this as a clear spending warning at the point of action. In an agent setting, insufficiently prominent transaction-cost disclosure can lead to unintended fund transfers or unsafe automation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script automatically reads a private key from ANCHOR_WALLET or the default Solana keypair path and immediately uses it for blockchain actions. In a mixed player/admin tool, silent credential loading is risky because users may run commands without realizing a sensitive wallet is being accessed, increasing the chance of unintended signing or operational key exposure on shared systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs irreversible, state-changing admin actions like fee withdrawal and game closure immediately after parsing CLI arguments, without any confirmation prompt or safety interlock. This is especially dangerous because the wallet is auto-loaded, so a typo, copied command, or social-engineering scenario can result in unintended fund transfers or destructive maintenance actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This UI copy explicitly markets a paid jackpot-style game and emphasizes upside ('$1 could become $1M+') without any balancing disclosure about loss of funds, odds, eligibility, or wagering risk. In a gambling-like financial product, omission of basic risk warnings can mislead users into participating without informed consent and may create consumer protection and compliance exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The component explicitly tells users to connect a wallet and let an agent act on their behalf, but provides no visible disclosure about transaction authority, fund risk, approval scope, or the dangers of delegating actions to an automated agent. In a crypto/gambling context, this omission can mislead users into granting wallet access without understanding that assets could be spent, approvals could persist, or unintended transactions could occur.

Unvalidated Output Injection

High
Category
Output Handling
Content
return (
    <style
      dangerouslySetInnerHTML={{
        __html: Object.entries(THEMES)
          .map(
            ([theme, prefix]) => `
Confidence
82% confidence
Finding
dangerouslySetInnerHTML={

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal