Buzz BD
WarnAudited by ClawScan on May 10, 2026.
Overview
The token-scanning purpose is mostly coherent, but an included adapter builds a shell command from message text, which could let crafted input run local commands.
Treat this as a review-before-install skill. The DexScreener scanning behavior is expected for its purpose, but avoid using the elizaOS adapter until the shell-command construction is fixed, and independently verify any crypto token links or social links before acting on them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this adapter is used, a malicious or malformed token query could run commands with the same permissions as the agent process.
The handler interpolates message.content.text into a shell command. Because execSync uses a shell, crafted token text containing quotes or command substitution could execute unintended local commands.
execSync(`node ${skillDir}scripts/buzz-scan.mjs --token "${message.content.text}" --json`, { encoding: 'utf-8', timeout: 30000 })Replace execSync with execFile/spawn using an argument array, validate token inputs strictly, and avoid passing free-form user messages to a shell.
Users could over-trust social links or token metadata that may still originate from third-party or project-controlled sources.
The skill claims verified working social links, while the provided scanner code appears to output provider-supplied social URLs from DexScreener. Users should not treat token links as independently verified unless the implementation is confirmed.
Every token result includes: ... ✅ Social links (verified working)
Label third-party token/social data as untrusted or provider-sourced unless the skill performs and documents independent verification.
It may be harder for users to confirm that the installed artifact matches the advertised project.
The registry source is unknown, and the supplied package metadata references a related but different GitHub repository name. This is a provenance note rather than proof of malicious behavior.
Source: unknown; Homepage: https://github.com/buzzbysolcex/buzz-bd-agent
Verify the ClawHub package contents against the intended GitHub repository before installing or running included scripts.