ClawHub

Basecred ERC-8004 Registration

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for ERC-8004 registration, but it asks for raw wallet private keys and can make persistent on-chain changes with limited containment guidance.

Install only if you are comfortable with local scripts that can sign blockchain transactions. Use a fresh low-balance wallet, keep .env out of source control and logs, run dry-run first, inspect the exact chain and fields before confirming, and remember that on-chain/IPFS data and feedback may be public and hard to undo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill instructs deriving a wallet from environment secrets and later sourcing .env during execution, which expands sensitive credential access beyond simple chat-guided data collection. Even if intended for signing transactions, this increases the attack surface and may cause an agent to access private keys when a safer address-only or external-wallet flow would suffice.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill documentation advertises search, update, and feedback commands in addition to registration, expanding the operational scope beyond what users would expect from a registration-only skill. Broader undocumented capability increases the chance of misuse, accidental invocation, or over-permissioning in agent environments.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This script performs an on-chain `giveFeedback` transaction even though the skill is described as registration-only, creating a hidden capability that can spend funds and alter on-chain reputation outside user expectations. In agent/tooling contexts, scope mismatch is dangerous because users may grant wallet credentials for one purpose while bundled code uses them for another blockchain action.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script pulls a raw private key from environment variables to support a feature outside the stated registration scope, increasing the blast radius if the bundled skill is trusted too broadly. Even without exfiltration in this file, collecting signing credentials for an unrelated on-chain operation is a security risk because it normalizes over-privileged secret use and may cause users to expose keys unnecessarily.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README recommends a very broad natural-language trigger phrase, "Register me on ERC-8004," for a skill that performs blockchain registration and may use locally configured private keys. In chat-driven agent systems, broad triggers can be invoked unintentionally during ordinary discussion or prompt injection scenarios, increasing the chance of unintended transaction preparation or user coercion into on-chain actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The setup instructions tell users to place raw private keys in a .env file and present this as standard configuration without a prominent security warning or safer alternatives. For a skill that performs on-chain registration and signing, this materially increases the risk of credential theft, accidental commit of secrets, leakage through logs/tooling, or misuse by the agent runtime if the environment is exposed.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The phrase 'when the user triggers registration' is underspecified and does not define exact invocation conditions or guardrails. Ambiguous activation criteria can cause unintended execution of registration logic, especially in conversational systems where partial intent may be inferred incorrectly.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill encourages users to place a private key in a .env file and presents it as a normal configuration option without strong security warnings or safer alternatives. This can normalize insecure key handling, leading to credential leakage through logs, repository commits, shell history, or unintended agent access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal