ClawHub

Agentic Lending Evk

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned for EVK lending automation, but it can send real crypto transactions and has weak safeguards around private keys, saved run files, approvals, and swap limits.

Install only if you intentionally want an agent to prepare and potentially send real DeFi transactions. Keep private keys out of request files and CLI arguments, use preview/preflight first, inspect persisted artifacts before reuse, set nonzero swap limits, and avoid unlimited approvals unless you explicitly accept that risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly supports environment-variable secret use (`LIVE_SIGNER_ENV`) and network/onchain operations, including real transactions, but it declares no explicit permissions. That mismatch is a real security issue because an execution-capable skill that can access signer material and perform network writes may be granted more capability than reviewers or policy engines can see, undermining least-privilege review and approval.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The file is for a skill that can perform real onchain writes, but the required operator acknowledgement is left as a placeholder string instead of a concrete phrase and enforcement contract. That makes it easy for tooling or operators to treat any value as sufficient, weakening the explicit-consent barrier before approvals, swaps, funding, deployment, or borrow actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This documentation explicitly instructs operators to perform live-capable EVK requests and describes persisted-run helpers for deployment handoff, but the referenced section does not itself include a clear, immediate warning that these actions may trigger real onchain transactions affecting funds, approvals, swaps, deployments, and borrow state. In an agent skill that can progress from planning into signer-backed execution, omission of an explicit transactional risk warning increases the chance of unsafe operator use or accidental escalation from preview to live execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI accepts a raw --private-key argument and uses it directly to create a signer for simulation and live transaction submission. In a high-automation agentic lending workflow that can perform real onchain writes, passing secrets via CLI arguments is dangerous because keys are commonly exposed through shell history, process listings, logs, crash reports, or orchestration telemetry.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The deploy-communal-proxy path also consumes a raw private key and can submit an onchain deployment transaction after only a string acknowledgement check. In this skill context, which is explicitly capable of live writes and likely to be driven by agents or automation, that increases the chance that sensitive credentials are handled unsafely or leaked through invocation surfaces while still enabling real asset-affecting actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This template programmatically constructs a request object with live transaction controls enabled, including `broadcast.enabled: true`, `send.enabled: true`, `dryRun: false`, and a dynamically assembled private key field. Even though values are placeholders, embedding a broadcast-ready signing structure in a reusable helper lowers the barrier to accidental mainnet execution and secret injection, which is especially risky in a skill explicitly designed for real onchain writes such as funding feeds, deployments, approvals, swaps, and borrow canaries.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code persists the full `request` object to `request.json` whenever artifacts are enabled, and elsewhere the request schema explicitly allows sensitive fields such as `send.privateKey` and `feedFunding.privateKey`. In a skill designed for real onchain execution, writing raw secrets and full live-execution inputs to disk creates a high-risk secret exposure path through local files, logs, backups, CI artifacts, or shared run directories.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The send path can submit live transactions via `wallet.sendTransaction(...)` once request fields satisfy structural checks, but there is no guaranteed last-mile interactive disclosure or confirmation at the execution point itself. Because this skill explicitly targets signer-backed market deployment, approvals, swaps, and borrow canaries, any caller or higher-level agent mistake can result in unintended irreversible onchain actions and financial loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal