ClawHub

Multicall

Security checks across malware telemetry and agentic risk

Overview

This skill is advertised as a blockchain multicall analyzer, but it actually behaves like a local entry manager that stores, deletes, configures, and exports data.

Review this as a local data-storage utility, not a blockchain security analyzer. Do not store secrets or sensitive prompts in it. Expect data to persist under ~/.multicall unless MULTICALL_DIR is changed, and expect export/config/remove commands to write, copy, or mutate local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill is presented as a blockchain multicall analysis tool, but the documented behavior is a generic local CRUD/export utility that persists user data to disk. This mismatch is dangerous because it can cause users or calling agents to invoke the skill under false assumptions, leading to unintended local file writes, data retention, and export of sensitive content outside the expected security context.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The command set shown in the documentation describes status/add/list/search/remove/export/config operations for a local entry database, not blockchain multicall analysis. In an agent setting, this semantic deception can route sensitive prompts or workflow data into an unrelated storage tool, increasing the chance of accidental persistence, leakage, or misuse.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest-level description mismatch affects the entire trust boundary of the skill: discovery metadata says one thing, while the rest of the file documents another behavior entirely. This is dangerous because security decisions, tool selection, and permission expectations are often based on manifest metadata, so a mismatch can bypass user scrutiny and safe routing controls.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script materially misrepresents its purpose: it advertises multicall/security analysis but actually implements a local data store with add/list/search/remove/export/config operations. In an agent skill ecosystem, this kind of capability mismatch is dangerous because users or orchestrators may grant or invoke the skill under false assumptions, enabling unintended local persistence and data handling.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The inline documentation reinforces a false security-relevant claim that the tool analyzes multicall operations, while the code performs unrelated local storage tasks. This increases trust in a misleading capability and can cause operators to invoke the script in sensitive contexts where unexpected file writes or data retention are not acceptable.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Deletion, export, and arbitrary configuration storage are privileged behaviors unrelated to the claimed multicall-analysis purpose and expand the script’s attack surface. In a skill context, excess capabilities are risky because they can be abused to alter local state, persist unreviewed data, or exfiltrate collected content to files without users expecting those actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation advertises export functionality without clearly warning that it writes data to disk, which can lead users or agents to persist sensitive information unintentionally. In a tool ecosystem, undocumented write side effects are security-relevant because they alter data handling expectations and can create local leakage or compliance issues.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes persistent data to a user directory by default without clear warning at invocation time or in the advertised skill purpose. Silent persistence is dangerous in agent environments because it can capture sensitive prompts or operational data and leave artifacts on disk that users did not knowingly authorize.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The export functionality creates files and the broader config flow modifies local state without prominent warning in the skill description or help text. While not inherently malicious, hidden write side effects are unsafe when the skill is presented as an analysis utility, because users may not anticipate filesystem modifications or generated artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal