Back to skill

Security audit

ClawdVine

Security checks across malware telemetry and agentic risk

Overview

This is a real crypto-paid video skill, but it gives agents wallet/payment and onchain identity authority with a documented flow that can start credit-funded generation before final approval.

Install only if you intend to let an agent interact with ClawdVine's crypto payment and identity system. Use a dedicated low-balance wallet, never a main wallet private key, require explicit approval before any generation request including credit-funded ones, and carefully review join, token-launch, profile, systemPrompt, marginFee, and MCP actions before they are sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
Findings (24)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest materially understates the skill's capabilities by describing only video generation/payment while the body also supports agent registration, profile updates, feedback/style operations, search, and token-launch workflows. This can mislead downstream reviewers or users into granting trust or permissions they would not have given if the full scope were disclosed.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The token launch capability is unrelated to the stated purpose of short-form video generation and introduces materially higher-risk financial behavior. Expanding scope from media generation into token deployment increases the chance an agent triggers irreversible blockchain actions that the user did not expect from this skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest presents the skill as short-form video generation, but the document also enables identity registration, onchain minting, profile management, and monetization workflows. That scope expansion matters because an agent or user may consent to a media tool while unknowingly exposing wallets, signing messages, or performing financial/account actions outside the advertised purpose.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documented ability to launch a creator token is materially more dangerous than video generation because it can trigger blockchain asset creation, reputation effects, and financial risk. Embedding token launch in a media skill increases the chance an agent will surface or perform speculative financial actions under a misleading trust boundary.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Allowing updates to agent metadata, system prompts, instructions, and margin fees expands the skill from content generation into identity and monetization administration. In practice this can alter downstream agent behavior, public presentation, and pricing, which exceeds a narrow video-generation trust model.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script enforces a 10M-token eligibility gate before use, which is unrelated to the stated short-form video generation purpose and can be used to impose undisclosed financial or access restrictions on users. In an agent skill context, hidden token-gating is risky because it may coerce users into holding or buying a specific asset and can cause downstream automation to fail unexpectedly when the balance check exits non-zero.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation says the script checks a $CLAWDVINE balance, but the implementation queries a constant named IMAGINE_TOKEN at a hardcoded address, creating a mismatch between the stated asset and the actual one being checked. This discrepancy is dangerous because users and integrators may believe they are being evaluated against one token while the code silently enforces eligibility based on another, enabling deceptive gating and misdirected financial decisions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script advertises that it checks a $CLAWDVINE token balance, but the code actually queries a different hard-coded contract labeled IMAGINE_TOKEN. In a payment or access-control workflow, this mismatch can cause users or downstream agents to make eligibility decisions based on the wrong asset, leading to unauthorized access, denial of service, or financial confusion. In this skill context, where token ownership may gate video-generation or payment-related behavior, the discrepancy is more dangerous because agents may trust the script's stated purpose and use its output for automated decisions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README encourages users or agents to pay with USDC and mint an onchain identity while omitting any warning that these actions can create irreversible financial transactions and permanent onchain artifacts. In an agent skill context, this is particularly risky because an autonomous system may follow installation or usage instructions without understanding wallet spending, network fees, approval scope, or the permanence of identity minting.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly promotes blockchain payment, minting an onchain identity, and monetization, but does not warn users about financial loss, irreversible transactions, wallet security, gas fees, or smart-contract risk. In an agent skill context, this is more dangerous because an autonomous or semi-autonomous agent may follow installation and join instructions and trigger real economic actions without the human operator understanding the consequences.

Ssd 3

Medium
Confidence
89% confidence
Finding
The instructions explicitly tell the agent to persist agent identity, wallet-linked creator data, MCP endpoints, and balance-related values across sessions. Long-term retention of account-linked identifiers increases privacy risk, enables cross-session tracking, and may exceed user expectations or platform data-minimization requirements.

Ssd 3

Medium
Confidence
90% confidence
Finding
The directive to permanently save the agentId in memory/config/environment encourages durable storage of an account-linked identifier without discussing consent, minimization, or deletion. Because the identifier is tied to user activity and attribution, persistent storage can facilitate profiling and unintended correlation across sessions.

Ssd 3

Medium
Confidence
89% confidence
Finding
The instruction to save the returned agentId to memory for future use creates persistent retention of identity-linked data across sessions. In agent environments, persistent memory can later be exposed through unrelated prompts, logs, exports, or tool misuse, creating unnecessary privacy and account-linkage risk.

Ssd 3

Medium
Confidence
84% confidence
Finding
Requiring the agent to always display the full prompt can disclose sensitive user content such as proprietary ideas, personal details, or unsafe text that did not need to be echoed back. This is especially risky in shared interfaces, logs, transcripts, or approval screens visible to others.

Ssd 3

Medium
Confidence
91% confidence
Finding
The repeated directive to permanently store agent identifiers in memory, config, or environment increases the blast radius of compromise and the chance of cross-session leakage. Persistent identifiers tied to wallets or accounts can enable tracking, unintended attribution, or misuse by other prompts and tools.

Self-Modification

High
Category
Rogue Agent
Content
git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add dist/clawdvine-skill.tar.gz
          git diff --staged --quiet || git commit -m "Build: update skill tarball [skip ci]"
          git push
Confidence
95% confidence
Finding
update skill

Unpinned Dependencies

Low
Category
Supply Chain
Content
"build:tar": "node scripts/build-tar.mjs"
  },
  "dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
Confidence
91% confidence
Finding
"@x402/evm": "^2.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
Confidence
91% confidence
Finding
"@x402/fetch": "^2.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
  "repository": {
Confidence
91% confidence
Finding
"siwe": "^2.3.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
  "repository": {
    "type": "git",
Confidence
91% confidence
Finding
"viem": "^2.45.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"build:tar": "node scripts/build-tar.mjs"
  },
  "dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
Confidence
93% confidence
Finding
"@x402/evm": "^2.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
Confidence
93% confidence
Finding
"@x402/fetch": "^2.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
  "repository": {
Confidence
92% confidence
Finding
"siwe": "^2.3.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
  "repository": {
    "type": "git",
Confidence
92% confidence
Finding
"viem": "^2.45.1"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.prompt_injection_instructions

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
clawdvine-skill-1.1.0/scripts/build-tar.mjs:54

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/build-tar.mjs:54

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
clawdvine-skill-1.1.0/scripts/check-balance.mjs:22

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
clawdvine-skill-1.1.0/scripts/x402-generate.mjs:29

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/check-balance.mjs:22

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/x402-generate.mjs:29

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
clawdvine-skill-1.1.0/SKILL.md:1564

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:1564