ClawHub

Basemail

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This wallet setup skill appears purpose-related, but its recovery-secret and overwrite guidance could cause irreversible wallet loss or unsafe handling of a mnemonic.

Install only if you can inspect and understand the setup script. Before running it, back up any existing wallet files and recovery phrases, confirm exactly whether the mnemonic is written to disk or shown once, and avoid confirming overwrite prompts unless you are certain which wallet material will be deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script tells users the mnemonic will not be saved to disk, but later instructs them to back up and delete a mnemonic file that is never created. In a wallet-creation flow, contradictory recovery guidance can cause users to misunderstand what was actually persisted, leading to loss of wallet recovery material or unsafe handling of secrets.

Natural-Language Policy Violations

High
Confidence
88% confidence
Finding
Destructive overwrite prompts are presented only in Chinese, so operators who do not understand the language may confirm deletion without realizing an existing wallet will be permanently removed. In a cryptocurrency wallet setup script, misunderstandings around overwrite confirmation can directly result in irreversible loss of access to funds or recovery artifacts.

Static analysis

Env credential access

Critical
Finding
Environment variable access combined with network send.

Env credential access

Critical
Finding
Environment variable access combined with network send.

Env credential access

Critical
Finding
Environment variable access combined with network send.

Exposed secret literal

Critical
Finding
File appears to expose a hardcoded API secret or token.

Potential exfiltration

Warn
Finding
Sensitive-looking file read is paired with a network send.

Potential exfiltration

Warn
Finding
Sensitive-looking file read is paired with a network send.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal