ClawHub

BTCD Skill (NBW)

Security checks across malware telemetry and agentic risk

Overview

This skill matches its crypto-loan purpose, but it gives scripts control over real wallet keys and irreversible transactions with several under-scoped safety issues.

Install only if you understand the BTCD/PGP loan flow and are willing to let these scripts control dedicated, limited-balance wallets. Do not use primary wallets. Review dependencies, contract addresses, .env handling, state files, and exact BTC/EVM transaction details before running the BTC lock or repay steps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions while clearly requiring access to highly sensitive environment variables such as EVM and BTC private keys. This mismatch can bypass user expectations and review controls, making the skill more dangerous because it performs real blockchain operations involving funds and signing authority.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The ABI exposes a much broader administrative surface than the skill description suggests, including arbitrator freezing, slashing, pausing, manager replacement, and ownership actions. In an agent skill intended for BTCD loan/collateralization flows, bundling unrelated privileged contract interfaces increases the chance the agent or downstream tooling can invoke high-risk operations outside user intent, expanding blast radius if prompts, routing, or access controls fail.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The ABI includes explicit governance and administrative methods such as transferOwnership, setConfigManager, setAssetManager, setTransactionManager, setCompensationManager, setArbitratorWhitelist, pause, unpause, and terminateArbitratorWithSlash. If an agent connected to this ABI can reach these methods, a prompt-injection, authorization bug, or mis-scoped execution path could reconfigure protocol control, disable services, or seize administrative authority, which is far more dangerous than the advertised BTCD flow.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The ABI exposes privileged administrative functions such as ownership transfer/renounce, operator and contract reconfiguration, and asset withdrawal that go beyond the skill’s stated BTCD collateralization workflow. In an agent skill context, exposing these methods increases the chance that the agent can be induced to invoke dangerous admin operations, enabling governance takeover, configuration tampering, or fund extraction if the connected wallet has privileges.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The ABI includes generic withdrawal functions for ETH, arbitrary ERC20 tokens, and interest withdrawal, which are not justified by the declared collateralization purpose. In a wallet-connected agent workflow, these functions materially increase abuse potential because a prompt-injected or misdirected action could transfer assets out of the contract or to attacker-controlled recipients when the caller holds the necessary permissions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The ABI exposes clearly privileged administrative methods such as ownership transfer and multiple mutable configuration setters that exceed the skill's stated user-facing purpose of running BTCD collateralization and loan flows. In an agent-skill context, exposing these calls can let the agent or downstream tooling invoke protocol-governance actions by mistake or via prompt injection, potentially reconfiguring core dependencies or control of the contract.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The ABI includes initialization, ownership transfer, factory/tool/address replacement, and system-parameter mutation functions that amount to protocol governance capabilities, yet the skill is described as an end-user collateralization workflow. In this context, that mismatch is dangerous because users may authorize the skill expecting routine loan actions while the exposed interface permits high-impact state changes such as swapping factories, interest receivers, or operational timing parameters.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments explicitly state that the environment-variable-controlled state path exists to let "attack scripts" use a separate state file. Even though this file is only a utility, that wording strongly indicates the code was designed to facilitate adversarial workflows, and the underlying behavior allows runtime selection of alternate state files without validation, which can enable hidden or parallel execution state and make malicious flow manipulation easier.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The `loadStateFrom` docstring says it is "Used by attack scripts to read the original state while writing to a different file," which is highly inconsistent with the declared BTCD collateralization purpose. In context, this suggests deliberate support for dual-state or covert state handling that could help conceal or coordinate unauthorized actions during a financial workflow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The module exposes the live BTC keypair object via getBTCKeyPair(), giving any importing code direct access to private-key signing material rather than a narrowly scoped signing interface. In an agent skill that performs financial operations, this expands the attack surface significantly: any compromised or overly permissive downstream component can sign arbitrary Bitcoin transactions with the user's funds.

Context-Inappropriate Capability

Low
Confidence
87% confidence
Finding
The code logs the EVM address, BTC address, and BTC public key during initialization, unnecessarily disclosing wallet identifiers in logs. While these values are not secret like private keys, log exposure can aid profiling, correlation of user activity, and targeting of high-value wallets, especially if logs are centralized or accessible to operators or third parties.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to place raw EVM and BTC private keys into a local .env file without prominent security guidance, isolation requirements, or safer alternatives. Because the workflow controls real wallets on BTC mainnet and an EVM chain, compromise of that file would enable theft of funds or unauthorized transactions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code broadcasts fully signed Bitcoin transactions to public third-party services (mempool.space and NowNodes) without any explicit user disclosure or consent step at the moment of transmission. In a wallet or collateralization skill, this leaks transaction intent and metadata to external operators and removes the user's opportunity to choose a trusted broadcast path, which is a real privacy and operational risk even though broadcasting is necessary for the workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The functions query external blockchain APIs with wallet addresses and transaction identifiers, which exposes user financial metadata and address linkage to third parties without clear disclosure. In the context of a BTCD collateralization flow, this is more sensitive because the skill handles loan, locking, proof, and repayment operations that can reveal user positions and timing, increasing privacy loss and correlation risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
This is a true vulnerability: generatePreImage() creates a secret 32-byte preimage and immediately logs the raw preimage value. In HTLC/loan/collateralization flows, possession of the preimage can enable unauthorized claims, front-running, or premature settlement by anyone who can read logs, making secret leakage especially dangerous in this blockchain skill context.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directly loads EVM and BTC private keys from configuration and initializes active wallets without any visible user disclosure, consent checkpoint, or indication of secure secret provenance. In the context of a BTCD collateralization skill that can move real assets, undisclosed credential use is more dangerous because it enables autonomous fund-affecting actions with highly sensitive keys.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal