ClawHub

Seedphrase

Security checks across malware telemetry and agentic risk

Overview

This skill only prints static reference text, but it is not a trustworthy seedphrase guide for real wallet recovery.

Install only if you want a lightweight, generic reference script and not real seedphrase recovery guidance. Do not paste real seed phrases into this skill, a terminal, a chat, or any third-party tool; use authoritative wallet documentation or professional security guidance for wallet recovery and backup decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest advertises a seedphrase reference tool, but the command set suggests broad financial and compliance content instead of narrowly scoped seed phrase reference behavior. This discrepancy undermines trust boundaries for agents and users, who may rely on the manifest to decide whether the skill is appropriate for sensitive cryptocurrency recovery operations.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The documentation claims seedphrase-specific functionality, yet the listed commands and descriptions indicate broader, partially unrelated subject matter. In a high-risk domain involving wallet recovery data, such ambiguous scope can cause operators to trust the skill with sensitive tasks it was not designed to support safely.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a blockchain seedphrase reference tool, but the actual content is generic investment, compliance, and operational boilerplate unrelated to seed phrases. In a security-sensitive context like seed phrase handling, this mismatch can mislead users and downstream agents into trusting irrelevant or incomplete guidance, increasing the risk of unsafe handling of wallet secrets or operational mistakes.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The inline documentation explicitly labels the script as a seedphrase tool while the embedded help and command outputs provide broad, non-seedphrase material. This kind of deceptive or inaccurate labeling is dangerous in wallet-secret workflows because users may rely on it for sensitive operations and fail to receive critical security guidance about protecting recovery phrases.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill discusses seed phrases without any warning that they are wallet-recovery secrets whose disclosure can directly compromise funds. In this context, omission of a strong secrecy warning materially increases the risk that users paste real seed phrases into prompts, terminals, logs, or external tools, leading to theft or irreversible account loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal