ClawHub

TokClaw Wallet

Security checks across malware telemetry and agentic risk

Overview

This wallet skill performs relevant wallet tasks, but it gives the agent broad authority to run remote code, store wallet secrets, and execute sensitive actions with weak user review.

Install only if you fully trust TokClaw and are comfortable with a remote shell script running on your machine. Use a low-value wallet first, inspect the installer before running it, avoid sharing OTPs or PINs in chat, delete plaintext PIN/token files when not needed, and require a clear manual review before any transfer or PIN change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to execute a remote installer via `curl ... | sh` and then run shell commands autonomously. That grants arbitrary code execution from a network source unrelated to a narrowly bounded wallet interface, creating a direct path to system compromise, persistence, credential theft, or exfiltration.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill says never to expose the user's PIN, but elsewhere instructs the agent to display a temporary PIN from script output. That contradiction increases the likelihood that secrets will be disclosed in chat transcripts, logs, or UI history, enabling wallet misuse or unauthorized transfers.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Broad trigger phrases like 'set up wallet' or 'read SKILL.md and set up wallet' can activate installation and execution flows with minimal contextual validation. Because the skill immediately performs high-risk actions, vague invocation criteria materially raise the chance of unintended command execution.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Generic triggers for login, balance, transfer, and logout cover sensitive operations and could be matched in ambiguous contexts. In a skill that stores auth material and can send tokens, overbroad invocation substantially increases the risk of unintended authentication actions or financial operations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directs the agent to install and execute a remote shell script immediately, without a meaningful warning about system modification, code execution, or trust boundaries. This is especially dangerous because the command both downloads and executes unverified code in one step, preventing inspection before execution.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the agent to save authentication tokens and PINs to local files but does not present a clear upfront warning about the sensitivity of that data or the local exposure it creates. Storing wallet secrets in predictable plaintext files can enable theft by other local processes, users, or malware.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs the agent to disclose sensitive secrets from script output, including temporary PINs and wallet/auth details, in plain language. Exposing such material in responses can leak credentials through chat logs, screenshots, telemetry, or downstream integrations and directly enable unauthorized wallet access or transfers.

Ssd 3

Medium
Confidence
94% confidence
Finding
Telling the agent to copy and show the ENTIRE script output removes any opportunity to filter sensitive data before disclosure. If the script emits account identifiers, balances, wallet addresses, auth state, error traces, or secrets, they will be exposed directly to the user and potentially to logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal