ClawHub

tmrland-personal-demo

Security checks across malware telemetry and agentic risk

Overview

The skill is a mostly transparent TMR Land marketplace integration, but it gives an agent access to wallet withdrawals and KYC identity workflows without consistently requiring explicit confirmation or minimizing sensitive output.

Install only if you trust TMR Land and are comfortable giving the agent an API key that may control funds, escrow actions, KYC data, messages, reviews, and marketplace state. Use the narrowest API-key permissions available, do not let the agent withdraw funds, submit KYC, release escrow, create disputes, or delete data without explicit per-action approval, and avoid pasting identity numbers or raw API keys into shared logs or chats.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented API exposes authenticated like/dislike actions that change user-associated voting state, while the skill metadata says the Apparatus feature is for browsing predictions. This creates a capability mismatch that can mislead an agent or user into performing account-affecting actions they did not expect, increasing the risk of unauthorized or accidental state changes.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The reset-password section states that a reset token is required, but the example shows a short numeric-looking value in the token field, which can mislead implementers into accepting simple codes where stronger reset tokens are expected. That ambiguity can result in weak password-reset flows, improper validation, or accidental acceptance of low-entropy reset artifacts in production.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script retrieves wallet KYC data even though the declared skill purpose covers business search, escrow, credit evaluation, and predictions, not identity-document access. Pulling sensitive KYC information outside the stated scope creates a privacy and over-privilege risk because users and reviewers would not reasonably expect this capability from the manifest.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
KYC data is highly sensitive personal information, and this file accesses it without any evident justification tied to the declared business function. In a marketplace-oriented agent, unjustified access to identity data materially increases the risk of privacy violations, misuse of personal information, and unauthorized data exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes a realistic-looking `raw_key` secret directly in the example response but does not prominently warn that this value is highly sensitive, only shown once, and must never be logged, pasted into chats, or stored insecurely. In an agent/SDK integration context, users often copy examples into code, logs, tests, or prompts, which increases the chance of secret mishandling and credential leakage.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The markdown describes authenticated like/dislike endpoints but does not warn that invoking them mutates persistent, account-linked voting state. In an agent setting, missing disclosure around side effects can cause users or automation to trigger actions without informed consent, especially when the operation appears lightweight.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The send-code response example includes a verification code preview in the API response, which would directly expose a one-time login secret to any client or intermediary receiving the response. If implemented as documented, this defeats the purpose of out-of-band verification and enables account takeover by anyone who can invoke or observe the endpoint response.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The forgot-password response example exposes a password reset code directly in the API response, turning a password recovery mechanism into a credential disclosure channel. An attacker could request a reset for a victim and immediately use the returned code to progress through the reset flow, leading to account compromise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The public API examples expose a stable internal-looking `user_id` for each business profile with no stated privacy purpose, minimization rationale, or warning. Stable identifiers enable cross-endpoint correlation, user/business mapping, and long-term tracking, which can facilitate enumeration, profiling, and privacy harm even if the endpoint is otherwise read-only.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API documentation states that disputes are decided by 9 AI jurors and that evidence URLs are evaluated asynchronously, but it does not clearly warn users that submitted dispute text, evidence links, and linked content may be ingested and processed by automated decision systems. In a financial/escrow dispute context, this can expose sensitive business data, confidential documents, or third-party information without meaningful user awareness or consent, creating privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The public `GET /api/v1/reviews/business/{business_id}` endpoint returns individual review records including `personal_id`, order linkage, timestamps, and free-text comments with no authentication. This enables unnecessary exposure of identifiable buyer activity and cross-order correlation, which can facilitate profiling, deanonymization, and privacy harm even if the data is not directly secret in isolation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The KYC endpoint collects highly sensitive identity data, but the documentation provides no notice about data handling, storage, retention, sharing, or security expectations. This can lead to over-collection, unsafe client behavior, and privacy harm if integrators send regulated personal data without understanding the protection requirements.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script makes a direct network request for sensitive KYC information and prints the full response, but provides no warning, consent flow, or disclosure to the user. Accessing and emitting personal identity data without clear notice increases the chance of surprise collection, accidental exposure in logs or terminals, and noncompliant handling of regulated personal information.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The script makes an authenticated request to retrieve wallet balances and then prints the full response object, which may expose sensitive financial account details in terminal output, logs, transcripts, or calling-agent context without any explicit notice or consent step. In an agent environment, silent retrieval and broad output of wallet data increases the risk of unnecessary data exposure beyond the minimum needed for the task.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script collects and transmits highly sensitive KYC identity data, including full name and government ID number, but provides no user-facing notice, consent confirmation, masking, or guidance about handling this data safely. In the context of a personal agent for escrow and business marketplace functions, this is especially sensitive because users may invoke the script directly and disclose regulated personal information without clear warning about transmission, storage, or logging risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script performs a real wallet withdrawal immediately after parsing CLI arguments, with no interactive confirmation, dry-run mode, or secondary verification. In the context of a financial marketplace skill that manages escrow and wallet operations, this increases the chance of accidental or script-driven unauthorized fund movement, especially if invoked by another agent or automation layer.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
---

## DELETE /api/v1/intentions/{intention_id}

Hard-delete an intention and all associated data (profile, candidates, negotiation sessions). Active negotiation sessions are automatically cancelled before deletion. Blocked for intentions with `contracted` status.
Confidence
82% confidence
Finding
DELETE /api/v1/intentions/{intention_id}

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal