ClawHub

Pacman Hedera DeFi AI Agent

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Hedera DeFi wallet skill, but it asks for powerful wallet access while documenting automatic daemon activity, broad data logging, and unclear runtime boundaries.

Review carefully before installing. Use a testnet or dedicated low-balance wallet, inspect the missing launcher and Python CLI first, and do not provide a primary wallet private key. Require explicit approval for every transaction, daemon start or restart, account setup, key backup, limit order, staking action, and HCS publication. Avoid enabling log or training-data workflows unless you understand exactly what account and transaction data will be retained or shared.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill explicitly states that write operations require explicit user approval, but elsewhere instructs the agent to automatically start or restart daemons. Daemon management is a state-changing operation that can trigger background monitoring, trading, signal publishing, or other side effects, so bypassing confirmation undermines the stated safety model and can cause unintended actions.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document says the agent must never create accounts unless explicitly commanded, yet the onboarding flow encourages offering and running a full setup that creates or imports wallets and accounts. In a wallet skill, creating or importing identities is highly sensitive and can materially change the user's environment, so contradictory guidance increases the chance of unauthorized account changes.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The runtime description claims nothing is sent externally except Hedera RPC and SaucerSwap API, but the skill later references MoonPay links and a training-data harvesting workflow. In a wallet context, inaccurate network-boundary claims can mislead users about data exposure and trust assumptions, especially where financial metadata or interaction contents may leave the local environment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Triggering a full startup routine on generic greetings like 'hi' or 'start' is overly broad for a wallet agent. Even if the routine begins with read actions, this skill also instructs automatic daemon startup, so casual conversation can unexpectedly cause state changes and external network activity.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The intent-routing table maps common conversational phrases like 'help', 'setup', 'health', or 'accounts' directly to operational routines. In a financial agent, vague triggers increase the risk of unintended command execution, unnecessary data exposure, or accidental transitions into privileged workflows.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill states that interaction data is collected for LLM fine-tuning, but this is buried in a later section rather than presented as a clear up-front user warning. Because this is a wallet agent handling balances, accounts, transfers, and potentially transaction metadata, silent or poorly disclosed training-data collection creates substantial privacy and compliance risk.

Ssd 3

Medium
Confidence
94% confidence
Finding
The logging and harvesting sections normalize retaining full interaction contents, errors, stack traces, account IDs, and execution records for later reuse in training. In the context of a DeFi wallet, these records can contain sensitive financial behavior, recipient information, and operational details that materially increase privacy and secondary-use risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal