ClawHub

aiusd

Security checks across malware telemetry and agentic risk

Overview

This skill matches its AIUSD trading purpose, but it needs Review because it can move funds using local tokens and has under-scoped installer and reauthentication behavior.

Install only if you trust the AIUSD publisher and are comfortable giving the skill token-based authority over the AIUSD account it can access. Use limited balances or limited-scope credentials where possible, require explicit confirmation for every trade, withdrawal, stake/unstake, gas top-up, and reauth, and review the embedded package before running the self-extracting installers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill gives strict user-facing instructions to say only limited authentication phrases, but later instructs the agent to automatically run re-auth commands and report progress. This inconsistency can cause an agent to take sensitive auth actions without clear disclosure or valid user consent, increasing the chance of confusing or unsafe credential-handling behavior.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header presents the file as the complete skill package, but the actual behavior is an installer that writes opaque embedded data, deletes an existing directory, extracts an archive, and executes external commands. That mismatch reduces informed consent and can mislead a user into running privileged installation actions they did not expect, especially since the embedded payload is not auditable from the visible source.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The installer recursively deletes the target installation directory with `rm -rf` if it already exists, and the user only receives a log message rather than a meaningful safeguard. Although the path is constrained to `$(pwd)/aiusd-skill`, this is still destructive behavior that can erase an existing installation or any user data stored there without confirmation or backup.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes high-risk financial actions such as trading, withdrawals, staking, and automatic authentication through natural-language chat interfaces without prominent warnings about irreversible transactions, market risk, wallet compromise risk, or the need for explicit user confirmation. In this context, the omission is dangerous because users may treat casual chat commands as low-risk and trigger real asset movements or account actions without understanding the consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented re-auth procedure includes clearing cached credentials from local directories, which is a destructive action affecting authentication state. Without a clear warning and consent requirement, an agent may erase tokens or session data unexpectedly, potentially disrupting access or switching accounts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs the agent to automatically run re-authentication on common auth failures, even though that flow may clear local auth caches and trigger browser login. Automatically initiating such state-changing actions without disclosure or confirmation is unsafe because it can affect local credentials and user sessions beyond the immediate request.

Missing User Warnings

High
Confidence
98% confidence
Finding
The installer unconditionally removes the existing aiusd-skill directory with fs.rmSync(..., { recursive: true }) and does so without confirmation, backup, or path safety checks beyond simple name construction. If a user already has important data in that directory, running the installer causes immediate destructive data loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script extracts an embedded tarball and runs npm install automatically, which executes code from an opaque bundled package and any package lifecycle scripts in its dependencies. In a skill installer context this is particularly dangerous because the payload is hidden in base64 and users cannot readily inspect what will be extracted or what install-time code will run.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs destructive deletion of an existing installation directory with no confirmation prompt, which can cause immediate data loss. In the context of a self-extracting installer for an untrusted skill package, silent replacement is more dangerous because users may rerun it in directories containing prior configuration, secrets, or local modifications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Running `npm install` on extracted, untrusted package contents can execute arbitrary lifecycle scripts such as `preinstall`, `install`, and `postinstall`. Because the installer automatically decodes an embedded archive and then invokes npm with no warning, review step, or script suppression, this creates a straightforward path to arbitrary code execution on the user's machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal