ClawHub

Streme Token Launcher

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it can launch public blockchain tokens using a raw wallet private key without strong built-in confirmation safeguards.

Review carefully before installing or running. Use a dedicated low-balance wallet, verify the contract addresses and dependencies, set token parameters explicitly, use scoped image-hosting credentials, and require manual approval of the exact deployment transaction before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger text includes broad activation language such as use on any Streme token deployment task, which can cause the skill to activate in loosely related contexts. In a high-risk domain involving on-chain deployment and public token launches, overly broad routing increases the chance of unintended execution, wrong-chain actions, or acting on ambiguous user requests without sufficient confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes deploying tokens, uploading token images, and interacting with public APIs/contracts but does not warn users that deployment is irreversible, metadata may become public, and wallet/deployer addresses will be exposed on-chain and via third-party services. In a blockchain deployment context, missing warnings are especially dangerous because mistakes can create permanent public records, financial loss, and privacy leakage.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal