ClawHub
Back to skill

Security audit

Agentic Lending EVK Readonly

Security checks across malware telemetry and agentic risk

Overview

This is a high-impact crypto planning skill, but the artifacts are documentation-only and repeatedly limit use to read-only planning, dry-run inspection, and handoff guidance.

Install only as a read-only planning aid. Do not provide private keys or real signer secrets to this skill, do not run live or broadcast commands from it, and separately review any referenced local scripts before using them for real wallet, borrow, swap, funding, or deployment actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The reference documentation exposes transaction-oriented and browser-assisted commands inside a skill explicitly described as read-only and non-sending. In an agent setting, documentation often acts as operational policy, so this contradiction can cause an orchestrator or downstream model to invoke purchase-planning, contract-call preparation, or deployment-related flows that exceed the advertised trust boundary.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document claims the workflow stops at deployment-readiness and borrow-proof planning, but later instructs use of `deploy-evk-market`, creating an unsafe mismatch between declared scope and permitted actions. Even if described as dry-run or readiness inspection, the presence of a deploy step increases the chance that an agent misclassifies or routes into a deployment-capable path, especially in automation where command names strongly influence behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This reference file contains concrete execution-oriented inputs such as a live RPC endpoint, signer environment variable, live-send acknowledgement placeholder, repay/deposit/borrow controls, and swap parameters, even though the skill is explicitly described as read-only and non-signer-backed. In this context, bundling actionable transaction configuration materially increases the risk that an agent or operator misuses the file to perform live state-changing actions, violating the declared safety boundary of the skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file explicitly includes signerEnvName and an operator acknowledgement field despite the skill claiming it never uses signer-backed execution or transaction submission. Those fields create an execution path and can normalize operator-approved live sending in a supposedly read-only workflow, making accidental or unauthorized transaction preparation more likely.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The actions, repayTopUp, repaySwap, and collateralSwap sections define operational transaction behavior including debt repayment, collateral deposits, borrowing, wrapping native assets, and swap routing. For a read-only planning skill, this is dangerous because the configuration is not merely descriptive—it is sufficient to drive value-moving behavior if consumed by an agent or downstream tooling.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Although framed as planning-only documentation, the file provides concrete inputs, acceptance criteria, handoff steps, and explicit preview/live command patterns for a signer-backed borrow proof workflow. In a supposedly read-only skill, this materially lowers the barrier to transitioning from analysis into live debt-taking execution, which can enable unsafe fund movement or unauthorized operational use if an agent or operator treats the documentation as in-scope guidance.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document explicitly states the skill is public read-only, but then supplies preflight checks and exact command invocations for a live-capable script including a '--live' mode. That contradiction can mislead downstream agents or users about the operational boundary of the skill and increases the chance that read-only tooling is used to facilitate real transaction execution.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The placeholder value SET_REQUIRED_LIVE_SEND_ACKNOWLEDGEMENT_PHRASE indicates an acknowledgement gate exists but does not define an exact, enforceable phrase. Ambiguous approval gates are risky because downstream implementations may treat partial matches, defaults, or unset placeholders as sufficient authorization for sensitive actions.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
Hard-coding LIVE_SIGNER_ENV in a read-only skill unnecessarily couples the configuration to a production-capable signer source. While the environment variable alone does not execute transactions, in this context it lowers the barrier to accidental use of real credentials and reinforces an execution capability that should not be present at all.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.