ClawHub

Basename Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for Basename/BaseMail registration, but its wallet automation can approve broad WalletConnect sessions and send arbitrary transactions without clear user confirmation.

Review this carefully before installing. Use only a dedicated low-balance wallet, avoid unattended execution, and do not connect it to arbitrary dApps. The publisher should narrow WalletConnect permissions to exact Basename contracts and methods, validate every transaction, remove eth_sign support, and add explicit confirmation and privacy disclosures before this is suitable for normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script approves a WalletConnect session with broad methods including personal_sign, eth_signTypedData(_v4), eth_signTransaction, and eth_sendTransaction for the connected site, even though basename registration should require a much narrower interaction profile. In an automated agent context, this gives the remote dapp a large signing surface that could be abused for phishing signatures, permit-style approvals, or other unintended actions if the webpage or session peer is compromised or malicious.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The session_request handler forwards any eth_sendTransaction request to wallet.sendTransaction using attacker-controlled to, value, and data fields, with no allowlist of destination contracts, function selectors, value limits, or calldata validation. Because the WalletConnect URI is sourced from a live webpage and the agent auto-approves the session, a malicious or compromised site could drain funds or execute arbitrary onchain actions from the wallet.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script introduces a general-purpose WalletConnect wallet that can pair with arbitrary dApps and sign messages or transactions, which is far broader than the stated Basename registration/email purpose. In a skill context, this creates an over-privileged capability that could be abused to drain funds, approve malicious actions, or authenticate phishing payloads through remote session requests.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The session approval and request handlers accept arbitrary WalletConnect proposals and process sensitive methods including transaction sending, personal_sign, and typed-data signing, with auto-approval possible when interactive mode is off. Because the skill is supposed to help with Basename identity/email registration, this unrestricted signing surface is unjustified and highly dangerous: a malicious or compromised dApp can obtain signatures or trigger value-transferring transactions unrelated to the skill's purpose.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code explicitly supports enabling eth_sign via a flag even though the comments acknowledge it is dangerous. raw eth_sign can be used to sign arbitrary attacker-chosen payloads, which is a well-known phishing primitive and is unrelated to the declared Basename registration/email functionality.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples perform real wallet signing, contract calls, and API registration flows without an explicit warning that they can spend ETH, register irreversible live names, and create external accounts/tokens. Users may copy-paste the example as if it were demonstrative only, leading to unintended fund expenditure or permanent registrations. Because the skill targets agents, automation raises the chance that this executes unattended.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The auto-register flow transmits wallet address, signed authentication material, and bearer tokens to a third-party service without a clear privacy and data-sharing disclosure in the skill description. Even if this is expected for the service to function, users are not clearly informed what identifiers and credentials leave the local environment. In the context of an identity/email registration service, this external sharing is especially relevant because it links wallet identity to off-chain service accounts.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Transactions are signed and broadcast automatically upon receiving a WalletConnect request, without displaying a human-readable summary or requiring user confirmation. In a browser-automation agent that handles a private key, this materially increases the risk of silent unauthorized spending if the page, WalletConnect session, or request contents are manipulated.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal