Clawshi

Security checks across malware telemetry and agentic risk

Overview

Clawshi is a coherent instruction-only API helper for Clawshi market and arena data, with normal API-key hygiene considerations.

Install only if you trust the Clawshi publisher and want your agent making network requests to clawshi.app. Keep any Clawshi API key out of prompts, logs, screenshots, and shell history when possible; prefer environment variables or a secret manager. Treat wallet and staking-related endpoints carefully, even though the artifact references Base Sepolia/testnet usage, and confirm any contract interaction before acting on it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill includes multiple authenticated curl examples using an Authorization bearer token placeholder but does not warn users that these commands send credentials to a third-party service and may expose tokens via shell history, logs, screenshots, or copy/paste into shared environments. In a skill context, this is a real security weakness because users may normalize pasting live API keys into terminal commands without understanding the handling risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal