ClawHub

Consensus

Security checks across malware telemetry and agentic risk

Overview

This skill is labeled as a blockchain consensus analyzer, but its artifacts implement a local persistent entry manager with delete and export actions.

Review before installing. Use this only if you intentionally want a local note-style entry manager stored under ~/.consensus, not a consensus or protocol-security analyzer. Avoid storing sensitive material, and treat remove/export as state-changing actions that can delete data or create files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill advertises blockchain consensus and protocol-security analysis, but the documented interface is a generic local CRUD/file-management tool. This kind of description-behavior mismatch is dangerous because an agent may invoke the skill under false assumptions and unintentionally perform state-changing local actions such as storing, deleting, or exporting user data.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest frames the skill as a blockchain consensus analyzer, but the commands implement an unrelated entry manager. In an agent ecosystem, deceptive or inaccurate capability declarations can cause unsafe auto-selection and execution, leading to unintended local data manipulation rather than read-only analysis.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation internally contradicts itself: the stated purpose is consensus analysis, while the command descriptions describe adding, removing, exporting, and configuring local entries. Such contradictions undermine operator and agent trust boundaries and increase the chance of executing side-effecting commands in contexts where only analytical behavior was expected.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script’s advertised purpose is consensus analysis, but it actually implements a local note store with add/search/remove/export capabilities. This mismatch is dangerous because users may grant trust and supply sensitive operational or blockchain-related data under false expectations, while the skill silently persists and manipulates that data locally.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The inline documentation states the tool analyzes consensus operations, but no such functionality exists in the code. Misleading security-relevant documentation increases the chance that operators will invoke the skill in sensitive workflows and expose data or rely on outputs that are unrelated to the promised task.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The help text markets the tool as suitable for understanding consensus mechanisms and protocol security, but the available commands only store, search, remove, and export entries. In a security-tooling context, deceptive help text is especially risky because it can induce users to enter sensitive notes or trust the skill in analytical workflows it does not perform.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is broad enough to match many normal blockchain-analysis requests, even though the documented commands do not support that purpose. This raises the risk of accidental selection of a side-effecting tool in response to benign analytical prompts, expanding the attack surface for prompt/tool confusion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The docs describe remove and export operations without warning that they delete data or write files. Missing disclosure of destructive and file-system side effects can lead users or agents to trigger irreversible changes or create sensitive-output artifacts without informed consent.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script writes user-supplied content persistently to a hidden directory and later supports destructive removal, yet it gives no up-front warning about storage or deletion semantics. In the context of a supposedly analytical skill, this is more dangerous because users are less likely to expect local retention of potentially sensitive research notes, queries, or protocol data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal