ClawHub

BNB Chain NFT

Security checks across malware telemetry and agentic risk

Overview

This NFT skill is purpose-aligned but needs review because it can sign transfers and approvals, including collection-wide approvals, using a raw private key without extra safeguards.

Install only if you are comfortable with a command-line tool that can sign real BNB Chain NFT transactions. Use a dedicated low-value wallet, avoid passing private keys with --key, verify every contract and recipient/operator address, and treat approve-all as granting broad collection transfer authority until revoked.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill description omits sensitive behaviors such as approve, setApprovalForAll, approval checks, and fetching tokenURI metadata over HTTP, even though these actions materially change the risk profile. In particular, operator-wide approvals can enable complete loss of a user's NFTs if an untrusted address is approved, and off-chain HTTP metadata fetches introduce additional unadvertised network interaction and trust boundaries.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill implements approve and setApprovalForAll operations in addition to transfer and read-only NFT actions. Approval-granting is safety-critical because it delegates transfer authority over one token or an entire collection, and the manifest description does not clearly disclose that expanded capability, increasing the chance of unsafe invocation by a user or agent.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code accepts a private key from CLI arguments or environment variables for signing approval and transfer transactions. Supplying secrets this way is risky because command-line arguments may be exposed through shell history, process listings, logs, or agent telemetry, and the manifest does not justify direct secret handling.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The metadata command dereferences tokenURI values over arbitrary HTTP(S) endpoints. Because tokenURI is effectively untrusted external input from a contract, this creates an undisclosed outbound network capability that can leak usage metadata, contact attacker-controlled endpoints, and expose the runtime to SSRF-style network access depending on deployment context.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The phrase 'Use for any NFT-related tasks on BSC' is overly broad and can cause the skill to be invoked in contexts beyond its safer read-only functions, including dangerous write operations like transfer and approval. In an automated agent setting, broad triggers increase the chance of accidental or socially engineered invocation of sensitive blockchain actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Fetching token metadata sends a request to a URL derived from tokenURI without any privacy notice or consent flow. This can reveal user activity, IP address, timing, and queried assets to third-party or attacker-controlled servers, which is especially relevant for an agent skill that may run in shared or sensitive environments.

Missing User Warnings

High
Confidence
97% confidence
Finding
The CLI usage instructs users to pass private keys directly via --key, with no warning that command-line arguments are often visible in shell history, process tables, audit logs, and orchestration telemetry. This is a direct secret-exposure risk that can lead to total wallet compromise and unauthorized NFT transfers or approvals.

Missing User Warnings

High
Confidence
95% confidence
Finding
The approve and approve-all operations execute immediately without an explicit safety warning explaining that they grant transfer authority to another address. This is particularly dangerous for NFTs because setApprovalForAll can authorize an operator to move every token in a collection owned by the wallet, making phishing, operator confusion, or accidental approvals highly damaging.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal