ClawHub

Blockchain & DID

Security checks across malware telemetry and agentic risk

Overview

The skill’s blockchain identity and staking purpose is clear, but it gives agents authority over sensitive KYC and token-staking actions without enough built-in confirmation or endpoint safeguards.

Install only if you trust the AIOT Network service and can verify the intended API environment. Before using it, require the agent to show the exact endpoint, KYC level, token amount, account, expected tier, and any reversibility or lockup terms, then get explicit confirmation immediately before KYC completion or staking.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to complete on-chain KYC but does not require a user-facing warning that sensitive identity data may be transmitted to external systems and potentially linked to on-chain records or status. In a DID/KYC context, omission of privacy and data-sharing implications can lead users to consent without understanding the exposure of personal information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The staking flow tells the agent to proceed from viewing tiers to staking tokens without a mandatory warning that the action affects user funds and may be irreversible, delayed, or subject to lockup/withdrawal conditions. In a blockchain membership context, missing a financial-risk confirmation increases the chance of unintended token transfers or user misunderstanding about consequences.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal