ClawHub

Nadname Agent

Security checks across malware telemetry and agentic risk

Overview

This skill broadly fits its blockchain name-registration purpose, but it handles wallet keys and irreversible transactions while some lookup results are simulated or overstated as reliable.

Review carefully before installing. Use a dedicated low-balance wallet, prefer dry-run first, avoid exposing a primary wallet private key, do not rely on this skill as the sole source of name availability or ownership truth, and independently verify through official NNS sources before spending MON.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill description says it performs secure .nad registration, but the detected behavior includes wallet creation, local secret storage, mnemonic prompting/storage, and simulated/mock blockchain checks that are not disclosed up front. This mismatch is dangerous because users may expose private keys or trust inaccurate registration/ownership results without understanding the actual secret-handling and non-authoritative behavior.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script advertises accurate blockchain-backed availability checks, but its fallback path is not a real chain state lookup. Instead it uses a hardcoded heuristic list and can even return 'available' when the check fails, which can mislead users into believing a name is free when it is not. In a blockchain registration context, incorrect availability information can cause wasted gas, failed transactions, or social engineering opportunities around name acquisition.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The comment states this is an on-chain availability check, but the implementation below does not read blockchain state and instead simulates likely taken names. This mismatch is dangerous because maintainers and users may trust the function as authoritative, increasing the chance of bad operational decisions based on fabricated results.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The exported behavior and surrounding claims suggest real API integration and registration-related reliability, but the checker can return assumed or simulated availability rather than verified data. In the context of a name-registration skill tied to blockchain transactions, this discrepancy is more dangerous because users may act on false information and incur failed registrations, wasted fees, or trust the broader skill incorrectly.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script presents itself as an NNS lookup tool but explicitly returns simulated mock data instead of querying the blockchain. This is dangerous because users may make decisions based on fabricated ownership results, and in a blockchain context misleading on-chain status claims can cause financial loss, operational errors, or false assurance about asset ownership.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The script claims the operation is read-only and does not require a private key for custom addresses, yet it still reads PRIVATE_KEY from the environment to derive an address. Reading sensitive credential material when it is not necessary expands secret exposure risk, especially in agent or automation environments where environment variables may be broadly available.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The encryption/decryption code is broken and does not actually implement AES-256-GCM correctly: it generates an IV but never uses it, and it calls legacy createCipher/createDecipher APIs instead of IV-based GCM initialization. This can cause the managed keystore and encrypted mnemonic handling to fail unpredictably or provide weaker-than-claimed protection for highly sensitive wallet secrets.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README instructs users to export a raw PRIVATE_KEY and run a script that performs an on-chain registration, but it does not explicitly warn that private keys are highly sensitive secrets or that blockchain transactions are irreversible and may spend funds. In a wallet- and transaction-handling skill, omission of those warnings increases the chance of unsafe operator behavior, secret exposure in shell history or process environments, and accidental submission of unintended transactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script derives an address directly from PRIVATE_KEY without prominently warning the user that sensitive environment credentials will be accessed. In shared shells, CI systems, or agent runtimes, unnecessary secret consumption increases the chance of accidental disclosure, misuse, or normalization of unsafe secret-handling patterns.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal