ClawHub

Web3 Music NFT Toolkit for DJs & Artists

Security checks across malware telemetry and agentic risk

Overview

This is a visible, instruction-only Web3 music NFT guide with wallet safety warnings, but it includes promotional links users should treat as optional advertising.

Install only if you want NFT and wallet onboarding guidance. Before spending money or minting NFTs, verify current fees and platform steps with official wallet and marketplace documentation, and treat the X and Discord links as promotional content. Never share a wallet secret phrase with the agent, the skill author, or any website.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill description is broad and lacks clear trigger boundaries, which increases the chance the agent is invoked outside its intended scope and begins giving Web3, wallet, NFT, or transactional guidance in contexts not explicitly requested by the user. In a crypto-related skill, over-broad activation is more dangerous because it can steer users toward sensitive financial actions, external platforms, and wallet setup without strong contextual checks.

Natural-Language Policy Violations

Low
Confidence
96% confidence
Finding
The skill hard-codes mandatory promotional closing language and external links, forcing the agent to advertise third-party social accounts and a Discord regardless of user intent. This is dangerous because it turns the agent into a traffic-funneling mechanism and can manipulate users into visiting off-platform destinations where trust, moderation, and phishing protections may be weaker.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal