ClawHub

openmath-claim-reward

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed OpenMath/Shentu reward query and withdrawal helper, with keyring signing and RPC use clearly tied to that purpose.

Install only if you intend to use local Shentu tooling for OpenMath rewards. Before any withdrawal, verify the exact shentud binary, reward address, key name, chain ID, and RPC node, and approve the broadcast only when they match your intended wallet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions even though it clearly reads environment variables and local files and invokes shell commands. This weakens the trust boundary for users and orchestration systems, because a seemingly harmless skill can access local configuration and execute external binaries without those capabilities being transparently declared.

Tp4

High
Category
MCP Tool Poisoning
Confidence
81% confidence
Finding
The stated purpose is reward claiming, but the documented behavior also includes transaction-status queries, timed waits, and automatic loading of addresses from local config files. More importantly, the actual withdrawal is delegated to a raw shentud command rather than encapsulated in the documented script flow, which can mislead users about what the skill will access and do before they consent.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill advertises reward-claiming/query behavior but also exposes a generic transaction-status lookup mode. That broadens the capability surface beyond the declared purpose, making it easier for an agent or user prompt to repurpose the skill for unrelated blockchain reconnaissance or data access not justified by the manifest.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The tx subcommand accepts an arbitrary transaction hash and queries the chain, which is broader than necessary for claiming or checking reward eligibility. In agent settings, unnecessary generic lookup features can be abused as an unintended side channel or as capability creep beyond least privilege.

Credential Access

High
Category
Privilege Escalation
Content
- [ ] **Env**: If needed, export `SHENTU_CHAIN_ID` / `SHENTU_NODE_URL`, or set `OPENMATH_ENV_CONFIG` to a specific `openmath-env.json`; otherwise use the built-in mainnet defaults and standard config auto-discovery.
- [ ] **Address**: Use an explicit address, or let `query_reward_status.py rewards` auto-discover `prover_address` from `OPENMATH_ENV_CONFIG` or the standard `openmath-env.json` locations.
- [ ] **Query**: Run `query_reward_status.py rewards [address]` (or `shentud q bounty rewards <address> --node <shentu_node_url>`) to see `imported_rewards` and/or `proof_rewards`.
- [ ] **Withdraw**: If any bucket is non-empty, first make sure a local `os` keyring key controls the same address, confirm `shentud keys show <your-key> -a --keyring-backend os` matches the reward address, then run `shentud tx bounty withdraw-rewards --from <your-key> --keyring-backend os --chain-id <shentu_chain_id> --node <shentu_node_url> --gas-prices 0.025uctk --gas-adjustment 2.0 --gas auto` (use `SHENTU_CHAIN_ID` / `SHENTU_NODE_URL` or the built-in defaults).
- [ ] **Wait**: 5–10 s for block inclusion.
- [ ] **Re-query**: Run `query_reward_status.py tx <txhash> --wait-seconds 6`, then `query_reward_status.py rewards <address> --wait-seconds 6` to confirm withdrawal; empty buckets are reported as zero, not error.
Confidence
72% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
- [ ] **Env**: If needed, export `SHENTU_CHAIN_ID` / `SHENTU_NODE_URL`, or set `OPENMATH_ENV_CONFIG` to a specific `openmath-env.json`; otherwise use the built-in mainnet defaults and standard config auto-discovery.
- [ ] **Address**: Use an explicit address, or let `query_reward_status.py rewards` auto-discover `prover_address` from `OPENMATH_ENV_CONFIG` or the standard `openmath-env.json` locations.
- [ ] **Query**: Run `query_reward_status.py rewards [address]` (or `shentud q bounty rewards <address> --node <shentu_node_url>`) to see `imported_rewards` and/or `proof_rewards`.
- [ ] **Withdraw**: If any bucket is non-empty, first make sure a local `os` keyring key controls the same address, confirm `shentud keys show <your-key> -a --keyring-backend os` matches the reward address, then run `shentud tx bounty withdraw-rewards --from <your-key> --keyring-backend os --chain-id <shentu_chain_id> --node <shentu_node_url> --gas-prices 0.025uctk --gas-adjustment 2.0 --gas auto` (use `SHENTU_CHAIN_ID` / `SHENTU_NODE_URL` or the built-in defaults).
- [ ] **Wait**: 5–10 s for block inclusion.
- [ ] **Re-query**: Run `query_reward_status.py tx <txhash> --wait-seconds 6`, then `query_reward_status.py rewards <address> --wait-seconds 6` to confirm withdrawal; empty buckets are reported as zero, not error.
Confidence
72% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
- [ ] **Env**: If needed, export `SHENTU_CHAIN_ID` / `SHENTU_NODE_URL`, or set `OPENMATH_ENV_CONFIG` to a specific `openmath-env.json`; otherwise use the built-in mainnet defaults and standard config auto-discovery.
- [ ] **Address**: Use an explicit address, or let `query_reward_status.py rewards` auto-discover `prover_address` from `OPENMATH_ENV_CONFIG` or the standard `openmath-env.json` locations.
- [ ] **Query**: Run `query_reward_status.py rewards [address]` (or `shentud q bounty rewards <address> --node <shentu_node_url>`) to see `imported_rewards` and/or `proof_rewards`.
- [ ] **Withdraw**: If any bucket is non-empty, first make sure a local `os` keyring key controls the same address, confirm `shentud keys show <your-key> -a --keyring-backend os` matches the reward address, then run `shentud tx bounty withdraw-rewards --from <your-key> --keyring-backend os --chain-id <shentu_chain_id> --node <shentu_node_url> --gas-prices 0.025uctk --gas-adjustment 2.0 --gas auto` (use `SHENTU_CHAIN_ID` / `SHENTU_NODE_URL` or the built-in defaults).
- [ ] **Wait**: 5–10 s for block inclusion.
- [ ] **Re-query**: Run `query_reward_status.py tx <txhash> --wait-seconds 6`, then `query_reward_status.py rewards <address> --wait-seconds 6` to confirm withdrawal; empty buckets are reported as zero, not error.
Confidence
72% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
| Query rewards | `python3 scripts/query_reward_status.py rewards [address] [--config <path>] [--wait-seconds 0]` | Checking claimable imported_rewards and proof_rewards for an address, or auto-discovering `prover_address` from `--config`, `OPENMATH_ENV_CONFIG`, or the default config locations when omitted. |
| Query tx | `python3 scripts/query_reward_status.py tx <txhash> [--wait-seconds 6]` | After withdraw broadcast to confirm inclusion. |

Withdraw is done with raw `shentud tx bounty withdraw-rewards --keyring-backend os` (see workflow above).

### Notes
Confidence
68% confidence
Finding
keyring

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal