ClawHub

BNB Chain

Security checks across malware telemetry and agentic risk

Overview

This BNB Chain skill appears to do what it advertises, but it can spend cryptocurrency using raw private keys without built-in confirmation safeguards.

Review before installing. Use only a dedicated low-balance wallet, avoid passing private keys on the command line, prefer a controlled secret mechanism, and manually verify network, recipient address, token contract, and amount before any send operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation explicitly instructs users to provide and use a private key via an environment variable, but the manifest does not declare that it accesses sensitive environment data. This creates a transparency and trust problem: users and orchestrators cannot accurately assess that the skill handles secrets, increasing the risk of accidental secret exposure or unsafe execution in environments that would otherwise restrict such access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
79% confidence
Finding
The manifest describes only balance checks and sending assets, while the documentation also exposes private-key-based wallet derivation and transaction inspection capabilities. This mismatch can mislead users or automated policy systems about the true functionality of the skill, weakening review controls and making sensitive key-handling behavior easier to overlook.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The `address` command accepts a raw private key as a positional CLI argument and processes it directly, which encourages unsafe secret handling. Command-line arguments are often exposed via shell history, process listings, logs, or agent telemetry, so this feature can lead to accidental private-key disclosure even though the code does not directly leak the key.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation recommends passing a private key directly on the command line (for example via `--key <private_key>` and `address <private_key>`). Command-line arguments are commonly exposed through shell history, process listings, logging, telemetry, or crash reports, so this pattern can leak wallet secrets and lead to complete loss of funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill accepts private keys via `--key` and `BNB_PRIVATE_KEY` without any warning or protective handling. In an agent or CLI context, secrets passed on the command line can be captured by shell history, process inspection, orchestration logs, or debugging output, increasing the risk of wallet compromise and unauthorized fund transfers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage text explicitly instructs users to pass a raw private key to the `address` command, normalizing dangerous secret exposure. In practice, this can cause irreversible leakage through shell history, copied commands, terminal recording, or agent execution logs, making subsequent theft of on-chain assets possible.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal