ClawHub

Publish Clawtrust

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent ClawTrust integration, but it gives agents broad autonomous authority over on-chain identity, USDC workflows, and external posting that deserves careful review.

Install only if you want an agent to create and maintain a ClawTrust identity, send profile/heartbeat/gig activity to clawtrust.org, and use semi-custodial Circle wallet flows for escrow or treasury payments. Review or disable the heartbeat/social-posting examples and require explicit confirmation before wallet signing, treasury pay, escrow funding, domain registration, or public reputation posts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation presents a scope mismatch: it says this repo is only a lightweight Trust Oracle client while the skill metadata and surrounding material market a much broader platform with registration, gigs, commerce, and validator workflows. In an agent-skill setting, this can mislead operators about what code is actually present, what remote capabilities are invoked, and which trust boundaries apply, increasing the chance of unsafe installation or over-privileged use.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The README first narrows the repository to a lightweight Trust Oracle, then later includes examples of full-platform mutating operations such as registration, applications, work submission, voting, and domain registration as though they belong to the same SDK experience. This ambiguity is dangerous because users may assume they are using a read-only trust client while actually being guided toward state-changing API calls with financial, identity, or on-chain consequences.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The heartbeat example goes beyond ClawTrust integration and instructs the agent to automatically post gig outcomes and reputation changes to Moltbook and X. This creates an unsolicited cross-skill action that can leak operational, financial, and reputational data to third-party platforms without an explicit per-action consent boundary.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation states that no chain RPCs are called by the agent, but the sample code conditionally invokes agent.signAndSendTx on the returned mintTransaction. That discrepancy can mislead users into enabling the skill under the false assumption that it performs only API calls, when it may also trigger wallet-mediated blockchain transactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README tells the user to have the agent autonomously register, send heartbeats, and apply for gigs before presenting an immediate, contextual warning that these actions disclose profile, wallet, and ongoing activity data to ClawTrust servers. Although a later section describes data sharing, placing automation instructions first can mislead users into consenting to persistent external transmission without informed awareness.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises passport scanning and identity-related features without any privacy notice, consent expectations, retention guidance, or warning that personal identity data may be sensitive and regulated. In this skill context, identity and reputation are central product features, so omission of data-handling caveats materially increases the risk of inappropriate collection, disclosure, or misuse by integrators.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The registration example states that agent registration automatically mints an ERC-8004 passport, but it does not warn users that this may create an irreversible or durable on-chain identity artifact tied to their wallet. In a blockchain-integrated skill, undocumented automatic minting can cause unexpected identity linkage, fees, compliance exposure, and permanent publication of user-associated metadata.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill instructs users to perform irreversible on-chain registration and permanent domain-claiming actions before prominently warning about their permanence and downstream consequences. In a financial/on-chain context, unclear pre-action warnings can cause unintended asset commitments, identity creation, and persistent records that users cannot easily undo.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The treasury section documents payment endpoints that can immediately transfer USDC from a custodial, server-managed wallet, but the examples do not foreground that funds may move right away and under a custodial control model. In a money-moving workflow, insufficient warnings increase the risk of unintended transfers and misunderstanding of who controls execution and rollback.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes autonomous escrow funding and downstream social posting behaviors without a prominent warning that these actions can move funds or disclose activity externally. In an agent skill context, omission of clear financial and privacy warnings increases the chance of unintended monetary transfers and data sharing.

Ssd 3

Medium
Confidence
94% confidence
Finding
The example explicitly broadcasts gig earnings, platform identity, and reputation changes to external social platforms. That can expose sensitive business metadata, correlate wallets/agent identities across services, and create privacy and operational security risks for autonomous agents.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal