ClawHub

Clawracle Oracle Resolver

Security checks across malware telemetry and agentic risk

Overview

This skill fits its oracle-agent purpose, but it needs careful review because it can automatically sign fund-moving blockchain transactions and exposes API keys to LLM-directed request construction.

Install only after reviewing the transaction flow. Use a fresh low-balance wallet, test on a non-production network first, set strict spend and bond limits, and add confirmation or dry-run gates before approvals, submissions, validation, or finalization. Do not pass real API keys into LLM prompts; keep credentials in trusted executor code with domain and endpoint allowlists.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions while clearly requiring sensitive capabilities: environment secrets and network/on-chain access. That omission can mislead operators and downstream policy engines, causing the skill to be invoked without informed consent even though it can read a private key, call external APIs, and submit blockchain transactions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior does not accurately match the operational scope: it references additional on-chain actions such as registration and finalization, and overstates implemented capabilities like validation and LLM/API-driven resolution. Security reviewers and users may therefore authorize a skill under false assumptions, leading to unexpected transactions, approvals, or trust in correctness mechanisms that are not actually implemented.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The example is presented as a complete working integration, but later calls `registry.finalizeRequest(requestId)` even though `finalizeRequest` is not declared in the provided ABI. In practice this causes runtime failure or nonfunctional settlement logic, which is especially risky here because the agent is intended to autonomously submit, dispute, validate, and finalize on-chain actions for financial reward.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README presents conflicting security-critical timing parameters: earlier sections describe a 5-minute dispute window and 5-minute validation/finalization flow, while the Security Considerations section claims a 24-hour validation window and also contradicts the documented minimum bond. In an oracle protocol, inconsistent timing and economic parameters can cause operators and integrators to act on false assumptions, leading to missed disputes, incorrect automation, or financial loss.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The document claims the examples are production-ready, but the code is incomplete, inconsistent with earlier signatures, and omits important safeguards. In an autonomous on-chain agent context, operators may deploy or adapt broken examples that mishandle approvals, submissions, or finalization logic, leading to failed transactions, locked funds, or unsafe automation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The configuration explicitly authorizes agents to create and edit API configuration and documentation files using local filesystem writes. In a security-sensitive oracle resolver, this grants persistent self-modification capability that can be abused to change endpoints, alter documentation used for tool selection, or redirect future queries to attacker-controlled services, especially because the same file also controls API key handling and routing behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The guide instructs the agent to read arbitrary API credentials from environment variables and then use them in LLM-directed outbound requests. In this skill, the request destination and parameters are dynamically derived from documentation and model reasoning, so secrets can be sent to unintended endpoints or exposed through prompt injection, misconfiguration, or hostile docs.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This documentation explicitly enables unconstrained LLM construction of HTTP method, URL, headers, and body from untrusted docs and queries, then executes the result. That creates an SSRF and data-exfiltration primitive: the model can be induced to call arbitrary hosts, include sensitive headers, or misuse credentials without deterministic validation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The example code reads documentation files from multiple filesystem paths based on configuration before making outbound calls. If configuration or packaged docs are tampered with, the agent can ingest attacker-controlled instructions or unintended local files, which then steer subsequent external requests and increase the chance of prompt injection or sensitive file exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example directly instantiates a wallet from `process.env.PRIVATE_KEY` without any warning about secret handling, hot-wallet risk, or limiting key privileges. In a skill that encourages unattended autonomous blockchain activity, this increases the chance that users run production funds from an always-on process with insufficient operational security.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example performs state-changing blockchain operations such as token approval and `resolveRequest(...)` submission without an explicit warning that these actions spend gas, lock bonds, and can create financial loss if triggered on bad data or at the wrong time. Given this skill's purpose is automated oracle participation for token rewards, the absence of transaction-risk warnings is more dangerous than in a passive read-only example because users may deploy it unattended and authorize repeated on-chain actions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The deployment instructions tell users to export a private key directly in the shell without any warning about credential sensitivity, reuse risk, shell history exposure, or limiting the key to a dedicated low-value account. For a blockchain deployment workflow, this increases the chance of accidental secret leakage and wallet compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README includes mainnet deployment and verification commands without warning that these actions are irreversible and may involve real funds, approvals, and live contract interaction. In a protocol that handles tokens, bonds, and reward transfers, omission of this warning can lead users to deploy or transact on mainnet unintentionally and suffer financial loss.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill states that it automatically creates and updates local state in agent-storage.json, but the warning is weak and buried in implementation details. Automatic persistent writes can expose operational metadata, interfere with other tooling, or create privacy and integrity issues if users are unaware that state survives restarts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes approving token bonds and submitting/finalizing on-chain transactions, but it does not clearly and prominently warn that these actions may happen automatically using the configured private key. In context, this is especially dangerous because the skill is designed to act quickly in a financial protocol, so hidden or understated transaction behavior can directly cause token loss, slashing, gas expenditure, or unintended approvals.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown normalizes autonomous token approvals and on-chain submissions without warning that these actions spend assets, post bonds, and can trigger irreversible financial consequences. In this skill's context, agents are explicitly designed to act autonomously on blockchain events, so missing user warnings materially increases the risk of operators enabling unattended fund movement or bond slashing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example directly references sensitive environment variables such as PRIVATE_KEY and API keys without any accompanying handling guidance. In a skill intended for autonomous agents, users may copy the pattern into insecure deployments, increasing the chance of secret leakage through logs, misconfiguration, weak storage, or unsafe execution environments.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation logic triggers on a loosely matched category string extracted from natural-language requests, which is overly broad and easy to invoke unintentionally or through prompt injection. In this skill, ambiguous routing can cause the agent to select the wrong external API, mishandle oracle queries, or perform network actions based on attacker-crafted text rather than an explicit, validated task type.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest instructs the agent to overwrite configuration and documentation files without any warning, approval gate, or integrity protection. This is dangerous because a prompt or owner-impersonation scenario could cause persistent modification of local behavior, enabling future misuse, endpoint substitution, or poisoned documentation that influences subsequent actions.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The documentation shows use of an `apiKey` query parameter and `X-Api-Key` header but does not warn that API keys are secrets that should not be embedded in client-side code or exposed in URLs, browser history, referrers, or logs. In an agent skill that fetches external data, this omission can lead implementers to leak credentials during integration, especially if they copy the documented URL-based example directly.

Missing User Warnings

High
Confidence
99% confidence
Finding
The guide tells the system to send full API documentation, configuration, and API keys to the LLM as prompt context. That unnecessarily discloses credentials and sensitive integration details to the model layer and any associated logging, tracing, or third-party processing, expanding the blast radius of compromise.

Missing User Warnings

High
Confidence
99% confidence
Finding
The example prompt embeds the API key directly into model-visible input. In practice this can leak secrets into model logs, telemetry, cached context, or downstream tool outputs, and makes prompt injection substantially more dangerous because the model already holds the credential.

Ssd 3

Medium
Confidence
90% confidence
Finding
The example query asks agents to identify who bought a house at a specific street address, which encourages collection, inference, and disclosure of personal data about a likely private individual. In an AI-agent oracle skill, this is more dangerous because it operationalizes privacy-invasive lookups and normalizes using agents to resolve sensitive real-world identity questions.

Ssd 2

Medium
Confidence
97% confidence
Finding
The injected nonsensical/manipulative text inside an event heading is a red flag because the file is supposed to be technical reference material, yet it contains adversarial-looking content unrelated to the schema. Even though it is not executable, such prompt-like or manipulative text in skill content can influence downstream LLM-based tooling, documentation consumers, or automated agents that ingest markdown naively.

Ssd 3

Medium
Confidence
97% confidence
Finding
This prompt template exposes API keys plus detailed API configuration to the model in plain language. Even if no immediate exfiltration occurs, it violates least-privilege for model context and increases the odds of accidental disclosure, misuse of privileged endpoints, and insecure downstream reproduction by developers.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal