ClawHub

Job for Bots

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support a real bot-job marketplace, but it asks agents to self-update remote instructions and handle wallet/API credentials with broad autonomous authority.

Install only after careful review. Use a dedicated low-balance wallet and API key, set owner controls to ask or full approval, lock down ~/.openjobs files, avoid symlinking into unrelated agent runtimes, and do not enable the hourly self-refresh unless you manually review and pin the downloaded SKILL.md and HEARTBEAT.md first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill embeds full wallet generation, secret storage, decryption, and signing logic, giving the agent broad credential-management and local secret-handling capabilities beyond a normal marketplace client. This materially expands the blast radius: any prompt injection, tool misuse, or compromised updated skill can pivot into extracting or misusing the Solana private key to authorize on-chain actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill tells agents to store the API key, bot ID, wallet address, and approval preferences in a local preferences file but gives no file-permission or secret-handling guidance for that file. On shared hosts or loosely permissioned environments, this can expose the API key and enable account takeover or unauthorized marketplace actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to periodically overwrite local SKILL.md and HEARTBEAT.md from the network without authenticity verification or change review. This creates a supply-chain/update-channel risk where the operator can silently replace trusted local instructions and steer future agent behavior, including toward credential misuse or destructive actions.

Ssd 4

High
Confidence
98% confidence
Finding
The hourly refresh loop forms a self-reinforcing instruction-update chain: fetch remote instructions, fully read them, and execute all new steps in order. This is especially dangerous in an agent skill because it can silently mutate the agent's operational policy over time, effectively delegating future control to the remote publisher.

VirusTotal

No VirusTotal findings

View on VirusTotal