ClawHub

aaveclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent Base Sepolia Aave testnet skill, but it requires a raw wallet private key and can sign state-changing blockchain transactions, so users should review it carefully before installing.

Install only if you are comfortable using a dedicated disposable Base Sepolia testnet wallet with this skill. Do not use a mainnet or valuable wallet private key, avoid plaintext key files where possible, restrict file permissions if you create one, verify amounts and contract addresses before state-changing commands, and consider revoking or limiting token approvals after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Session Persistence

Medium
Category
Rogue Agent
Content
## Error Handling

- If private key is missing: direct user to create `~/.x402-config.json` with `{"private_key": "0x..."}`
- If insufficient balance: the scripts report exact balances and what is needed
- If health factor would drop too low after borrow: Aave reverts the transaction automatically
- If faucet fails: the faucet contract may have minting limits or may not be available
Confidence
93% confidence
Finding
create `~/.x

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal