ClawHub

Clabcraw

Security checks across malware telemetry and agentic risk

Overview

This skill is openly about real-money USDC gameplay, but it gives an agent broad wallet-based spending and transfer ability with weak safety boundaries.

Install only with a dedicated low-balance wallet you can afford to lose. Treat join, autoplay, claim, and tip as real USDC transactions, not simulations; avoid putting a production private key in shell history or checked-in config, and require explicit user approval plus spend limits before allowing an agent to run paid actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires environment variables containing a wallet private key and explicitly performs network operations against an external API and blockchain-related endpoints, yet it declares no permissions. This creates a transparency and consent problem: operators may run a money-moving, networked skill without clear platform-level permission gating or review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description frames the skill as competing in games for USDC, but the documented behavior also includes tipping the platform, claiming on-chain balances, checking funds, and queue-management actions. This mismatch matters because several of those actions can move or affect real funds, and users may not reasonably expect them from the top-level description alone.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata says it is for competing in 1v1 games, but the client also exposes a tipping capability that can spend user funds for an unrelated purpose. In agent environments, hidden or non-essential payment paths increase the risk of misuse, accidental invocation, or deceptive workflows that transfer money outside the core game function.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This code implements a voluntary donation/payment action that is not necessary to play arena matches, creating an unjustified fund-transfer capability. Even if described as optional, such functionality expands the financial attack surface and can be abused by prompts, wrappers, or future code paths to trigger unintended payments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start instructions tell users to export a raw wallet private key into an environment variable without an explicit, prominent warning that the key grants full control over real funds. In agent and automation environments, env vars are commonly exposed to subprocesses, logs, crash reports, and debugging tools, so this materially increases the risk of credential theft and fund loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start path immediately installs dependencies and runs autoplay, and the documentation states that this joins the queue and pays the entry fee, but it does not present an upfront, unmistakable warning that executing the command spends real USDC. Because the skill is tied to actual wallet credentials and real-money gameplay, a user could incur unintended financial loss by following the example verbatim.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation describes `join()`, `claim()`, and related flows as automatically performing x402 USDC payments and wallet withdrawals, but it does not prominently warn that these are real financial transactions using a wallet private key loaded from environment variables. In an agent-integration context, operators may wire this into autonomous workflows and unintentionally authorize live on-chain spending or withdrawals, increasing the risk of unexpected fund loss or misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples for `claim()` and `tip('1.00')` present fund-moving operations as ordinary API calls without clearly indicating that they initiate real on-chain transfers. In an automation or agent setting, this can lead users to copy the examples into production logic without safeguards, causing unintended transfers of winnings or gratuity payments.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation shows `CLABCRAW_WALLET_PRIVATE_KEY=0x...` directly in command lines without emphasizing that this is a highly sensitive secret that can be exposed through shell history, process inspection, logs, or shared terminals. Because this skill is specifically designed to play for USDC, compromise of that key can directly lead to theft of funds and unauthorized transactions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to provide a wallet private key for multiple commands but gives no handling or storage warning for this highly sensitive secret. In a skill that performs paid blockchain actions, normalizing raw private-key use without strong cautions increases the risk of key exposure through shell history, logs, environment dumps, or unsafe agent integrations, which could lead to full wallet compromise and loss of funds.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The join command is described as paying a USDC entry fee via x402, but the docs do not prominently warn that invoking it triggers a real paid transaction. In the context of an agent skill for competitive wagering, this omission is dangerous because users or autonomous agents may treat the command as a harmless queue operation and unintentionally spend funds repeatedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The claim command performs an on-chain withdrawal of all claimable USDC and requires gas, yet the docs do not clearly warn that this is a blockchain transaction with irreversible fund movement. In an automation setting, insufficient warning can cause unexpected gas expenditure, mistaken withdrawals on the wrong network/account, or unintended triggering by agents that interpret it as a harmless balance-sync action.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start directs users to export a wallet private key into an environment variable but does not include any warning about secure key handling, least-privilege wallet use, or the financial risk of exposing signing credentials. In the context of a skill that spends and claims USDC, this omission can lead users to use a real funded wallet in an unsafe way, increasing the chance of credential leakage through shell history, logs, screenshots, shared environments, or misconfigured systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick-start instructions tell users to export `CLABCRAW_WALLET_PRIVATE_KEY='0x...'` without explicitly warning that this is a highly sensitive secret that grants control over on-chain funds. In this skill's context, the agent is used to enter USDC-backed games and submit transactions, so normalizing private-key handling in shell history or shared environments increases the chance of credential leakage and direct wallet theft.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly promotes real-money play, including a high-stakes $50 entry tier, but does not include a clear risk disclosure about financial loss, gambling-like behavior, or safe-use guidance. In a skill whose purpose is to automate 1v1 games for USDC, this omission can mislead users into deploying agents with real funds without understanding monetary risk, especially since the document frames novice mode as a way to 'verify your agent before spending real money.'

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The claim path sends an on-chain transaction directly once a balance is detected, without any interactive confirmation or safety gate at the point of execution. Although claiming winnings is related to the skill's purpose, blockchain transactions incur gas costs and can be unexpectedly triggered by higher-level agent logic, making silent execution risky.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The tip method performs an automatic paid network action via x402 with no runtime confirmation beyond comments. Because this directly causes a monetary transfer unrelated to gameplay, an agent or integration could invoke it silently, resulting in unauthorized or surprise spending.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description authorizes broad autonomous participation in 1v1 games involving USDC without defining when the skill may be invoked, who must approve wagers, or what limits apply. In a skill that can plausibly drive blockchain transactions using a configured private key, this ambiguity can enable unauthorized gambling activity, fund loss, or misuse outside the user's intent.

Natural-Language Policy Violations

Low
Confidence
77% confidence
Finding
The description hard-codes gameplay for USDC, steering the skill toward real-money activity without presenting user choice, safety controls, or justification for handling financial value. Because the skill metadata also includes wallet and RPC configuration, this increases the chance of the agent initiating value-bearing actions by default, raising risks of financial loss and problematic gambling behavior.

Credential Access

High
Category
Privilege Escalation
Content
try {
  const skillPath = join(__dirname, "..", "skill.json");
  const skillJson = JSON.parse(readFileSync(skillPath, "utf-8"));
  skillDefaults = skillJson.env || {};
} catch {
  // skill.json not found — rely on runtime env vars only
}
Confidence
90% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
### Option 1: Generate a new wallet (recommended for automation)

```bash
mkdir -p ~/.clabcraw && chmod 700 ~/.clabcraw

node -e "
import { generatePrivateKey, privateKeyToAddress } from 'viem'
Confidence
83% confidence
Finding
mkdir -p ~/.clabcraw && chmod 700 ~/.clabcraw node -e " import { generatePrivateKey, privateKeyToAddress } from 'viem' const key = generatePrivateKey() console.log('Address:', privateKeyToAddress(key

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal