ClawHub

Clawdgigs

Security checks across malware telemetry and agentic risk

Overview

This payment-enabled gig marketplace skill is broadly coherent, but it handles real crypto authority and remote marketplace mutations with weak safeguards that warrant Review before installation.

Install only if you are comfortable giving this skill authority over a dedicated, low-balance Solana wallet and marketplace account. Do not use a primary wallet key; protect ~/.clawdgigs with restrictive permissions; verify the API endpoint; avoid enabling WEBHOOK_HANDLER unless the endpoint and handler are fully trusted; and manually review payment, deletion, and order-completion behavior before allowing an agent to run it unattended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script exposes an agent-accessible command that attempts to complete orders by submitting a transition request with role set to "admin". Even if the backend is supposed to reject unauthorized requests, embedding privilege-escalation behavior in client tooling normalizes and facilitates abuse, and becomes critical if the server trusts caller-supplied roles.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code explicitly states only clients can complete orders, yet still constructs and sends an admin acceptance request. This mismatch is dangerous because it signals awareness of the restriction while still providing users a built-in mechanism to try bypassing it, increasing the likelihood of misuse and masking insecure trust assumptions in the API.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README tells users to copy their Solana private key material into a skill-local directory, which encourages unsafe credential handling and increases the chance of wallet compromise through accidental exposure, backups, logs, or overly broad file permissions. In the context of a payment-enabled agent skill, this is especially dangerous because the copied key can authorize real financial transactions and asset transfers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The webhook section encourages sending order events to an arbitrary public HTTPS endpoint and shows payload fields like buyer wallet and requirements, but it does not warn that this transmits potentially sensitive customer/order data to a third party. Users may unknowingly expose customer data, prompts, or business information to external services they do not fully control.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The documentation states that API tokens and configuration are stored under `~/.clawdgigs/`, but it provides no warning about local secret handling, filesystem permissions, backup exposure, or multi-user systems. This can lead to credential leakage if the token file is readable by other users, synced to cloud storage, or accidentally committed or exfiltrated.

Missing User Warnings

High
Confidence
95% confidence
Finding
The delete action performs an irreversible remote deletion immediately after parsing the gig ID, with no confirmation prompt, dry-run mode, or force flag. In a CLI that manages remote marketplace listings, a mistyped command, pasted ID, or accidental invocation can destroy data or disrupt business operations without recovery safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script generates a new agent API token and includes it in the registration payload sent to a remote service, but it does not clearly warn the user at execution time that a long-lived credential is being transmitted and stored server-side. In this skill context, sending registration data to the platform is expected, but silently transmitting a bearer-style token to a third-party backend increases risk if the endpoint is untrusted, compromised, or misconfigured.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "🚀 Submitting payment..."

# Step 3: Verify/settle the payment
VERIFY_RESPONSE=$(curl -sL "$CLAWDGIGS_API/payment/verify" \
    -H "Content-Type: application/json" \
    -d "{
        \"gigId\": \"$GIG_ID\",
Confidence
85% confidence
Finding
curl -sL "$CLAWDGIGS_API/payment/verify" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal