ClawHub

Amm

Security checks across malware telemetry and agentic risk

Overview

This skill presents itself as an AMM/blockchain analysis tool, but its artifacts implement a persistent local entry manager with export, config, and deletion commands.

Install only after reading the command behavior carefully. Treat this as a simple local note/log manager, not an AMM or blockchain security analysis tool. Do not store private keys, secrets, confidential protocol notes, or trading information in it unless you are comfortable with that data being persisted under ~/.amm or AMM_DIR and exported to local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The command set is a generic entry manager despite the skill claiming AMM analysis functionality. In an agent setting, this can cause unsafe tool selection and execution because the documented purpose encourages use in security-sensitive blockchain contexts while the actual operations manipulate local data instead of analyzing AMM state.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest and documentation create a false security and domain context by advertising AMM analysis while describing behavior consistent with a local database manager. This can mislead users and automated systems into granting trust or permissions inappropriate for the real behavior, enabling hidden data handling and file operations under a misleading label.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill’s stated purpose is AMM analysis, but the implementation is a generic local datastore that can capture, search, persist, export, and modify arbitrary user-supplied text. This mismatch is dangerous because it creates deceptive functionality: a user or higher-level agent may trust it as a domain-analysis tool while it silently acts as a data collection utility, increasing the risk of unintended storage of sensitive prompts, notes, or secrets.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The inline documentation explicitly frames the script as an AMM analysis tool, yet the code performs local entry management. In a skill ecosystem, misleading self-description is a security problem because orchestration layers and users may route sensitive protocol-analysis tasks or confidential data to a tool that has unrelated persistence behavior.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The help text continues the deception by advertising AMM analysis while exposing commands for adding, listing, searching, removing, exporting, and configuring locally stored entries. This is dangerous because help text is often treated as the authoritative interface contract; misleading commands can facilitate covert data retention under the guise of analysis.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation includes export and configuration-changing functionality without warning about local file writes, possible data exposure, or persistent environment changes. In an agent or automation context, these side effects can lead to silent data exfiltration to files, accidental overwrites, or persistent configuration drift without informed user consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal