ClawHub

Agent Swarm

Security checks across malware telemetry and agentic risk

Overview

This is a real XMTP/USDC marketplace skill, but it bundles unsafe secrets, under-disclosed account automation, remote code execution surfaces, and inconsistent wallet safeguards.

Review this carefully before installing. Do not run it with funded wallets, production XMTP identities, GitHub tokens, or X credentials unless the package is cleaned up, exposed keys are removed and rotated, social/GitHub automation is separated or explicitly consented to, task verification is sandboxed, and wallet-guard enforcement is fixed and tested.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (124)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is a generic placeholder template and does not document the actual XMTP-based agent marketplace, escrow, bidding, or payment behavior claimed by the skill metadata. In a security-sensitive multi-agent payment context, missing or incorrect instructions can cause agents to invoke the skill under false assumptions, mishandle funds, or operate without required safety constraints, making this a real security and reliability issue.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata describes decentralized XMTP task coordination and on-chain payments, but this file instructs the agent to perform autonomous X/Twitter growth actions such as mentions triage, likes, replies, quote tweets, and search-driven engagement. That is a material capability expansion into social-media automation outside the declared purpose, increasing the chance of covert account misuse, spam, and reputational harm.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file grants broad social-media automation powers: monitoring mentions, liking posts, replying, quote tweeting, and hunting for posts to engage with for visibility. In the context of an XMTP coordination skill, these are unrelated outbound actions that can be abused for unsolicited promotion, impersonation, or account farming without clear user intent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instructions tell the agent to read local credential material from .x_credentials and export secrets into the environment to authenticate to X. Loading sensitive credentials for a capability not justified by the manifest increases the blast radius: a compromised or mis-scoped skill gains access to social accounts and can act externally as the user.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file embeds multiple production private keys (`adminKey`, `requestorKey`, and `workerKey`) directly in a distributed skill artifact. Anyone who can read this file can take over the associated wallets, sign transactions or messages, administer the board, move escrowed or paid funds, and impersonate participants. In the context of a decentralized agent-payment protocol, exposing live signing keys is especially dangerous because the skill is explicitly designed to control real on-chain payments on a production network.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This configuration does more than describe decentralized coordination endpoints; it hardcodes concrete production wallet control material and links it to a live `production` network deployment. That means the skill package itself becomes a bearer secret for administrative and payment operations, enabling unauthorized takeover, fraudulent bids or task actions, and theft or misdirection of USDC or escrowed assets. Because the skill’s purpose includes hiring agents and paying them on-chain, exposure of wallet control materially increases real-world financial risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The dashboard inserts multiple untrusted fields from state.json directly into innerHTML, including listing titles, descriptions, task names, role names, and status values. If an attacker can influence marketplace data, they can inject HTML or JavaScript into the dashboard, leading to stored XSS that can run in viewers' browsers, alter displayed escrow/payment information, or pivot into wallet- or session-related phishing in a crypto workflow.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The worker automatically claims a subtask and submits a 'completed' result after a fixed delay without verifying that any work was actually performed. In a decentralized paid-work protocol, this can fraudulently trigger task progression or payment based on fabricated completion, making the skill materially dangerous in context because it is explicitly designed for autonomous bidding and on-chain compensation.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code comments state tasks should be handled in private groups, but the implementation processes task messages from the public board conversation and also posts claim/result messages back to that board. This leaks task workflow metadata and potentially sensitive deliverables to all board participants, and also allows unintended actors to observe or react to task state changes in a protocol meant to coordinate paid work privately.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The demo and metadata describe escrowed on-chain USDC payments, but this script only exchanges XMTP messages and fabricates a transaction hash using a timestamp. That mismatch can mislead users or integrators into believing payment settlement and escrow guarantees exist when they do not, causing financial loss or unsafe reliance on nonexistent controls.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The inline comment says the requestor sends payment after receiving the result, but the code actually sends only a payment confirmation message. In an agent marketplace context, this is dangerous because downstream users may assume payment completion or escrow release occurred and build trust or automation on a false financial state.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The completion log presents the flow as if payment occurred, when the worker only received a confirmation message and no actual transfer happened. While this is primarily a trust and integrity issue, it can still mislead operators during testing and mask the absence of real settlement logic.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The implementation contradicts the advertised escrow-based payment model by sending funds directly from the requestor wallet after receiving a result message. This is dangerous because users may rely on escrow-related trust assumptions that do not actually exist, increasing the risk of disputes, non-recoverable payments, and misuse of the demo in production-like settings.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header comments describe a protocol with escrow and protected payment semantics, but the code performs only a direct USDC transfer after result receipt. Misleading security and payment claims are dangerous because operators may execute the script under false assumptions about fund safety, dispute handling, and protocol guarantees.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script reads a GitHub token from a local workspace file and uses it for authenticated clone/pull/push operations to a remote repository. This grants the skill an undeclared capability to exfiltrate or publish local-derived data and mutate external infrastructure, which is broader than the stated XMTP/on-chain coordination purpose and materially increases risk if the script is invoked automatically.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script performs behavior outside the skill's described scope by copying local state into a GitHub repository to update a dashboard. Undisclosed side effects are dangerous in agent skills because operators may authorize a protocol/coordination tool without realizing it also republishes local state to a third-party service.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The implementation contradicts its own security comment: it writes the prompt to a temp file but then passes the full untrusted prompt as a command-line argument to downstream tools. This can expose task contents via process listings, audit logs, crash reports, or agent telemetry, and increases prompt-handling risk even though it is not shell injection.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The code comment states codex reads from a file, but the actual invocation uses ['exec', prompt], placing the entire untrusted prompt directly in argv. That can leak sensitive task data to local observers and system logs and defeats the intended safer transport mechanism.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comment states file locking prevents concurrent write corruption, but the implementation explicitly continues without a lock when acquisition fails or times out. In a multi-agent or multi-process environment, that can lead to race conditions, lost updates, and inconsistent state, which is especially risky because this module tracks tasks, payments, escrows, and reputation used by a dashboard.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The verification logic executes untrusted acceptance criteria as local JavaScript via `node _acceptance_test.js` and invokes external shell commands for AI verification. In this skill's context, task criteria and deliverables can originate from other agents on a decentralized network, so this creates a realistic remote code execution and command-execution surface on the host running the skill.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The `signer` getter returns the raw underlying wallet (`this.inner`) even though the code comments claim contract interactions are intercepted by the guard. Any caller can use that signer directly to call arbitrary contracts, send transactions, sign approvals, or bypass spending limits, allowlists, and logging entirely. In a decentralized payment/orchestration skill, this defeats the core security boundary around on-chain funds.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file-level security claims state that the wrapper prevents fund drainage via permissioned access and spending limits, but those guarantees are undermined by later raw signer exposure and incomplete enforcement paths. This creates a dangerous mismatch between advertised protections and actual behavior, increasing the chance that downstream code or operators will trust the guard and store live funds behind ineffective controls.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The document contains an internal contradiction: it says no files were found or accessible, yet also claims the code was fetched for inspection. In a security-review workflow, this is dangerous because it can create a false impression that review coverage occurred when the underlying artifact may never have been examined, leading users to trust an incomplete or nonexistent audit.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The documentation encourages the agent to autonomously perform the full transaction lifecycle, including hiring, verification, and payment, without explicitly requiring user approval at each funds-moving step. In a skill that directly interacts with real USDC payments on Base, this can normalize unsafe autonomous spending behavior and lead to unintended or unauthorized transactions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code explicitly comments that tasks are handled in private groups, but it sends both claim and result messages via the public board conversation. This can leak task metadata, worker activity, and deliverables to all board participants, breaking confidentiality assumptions and enabling task hijacking or copycat completion by other agents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal