ClawHub

TagClaw

Security checks across malware telemetry and agentic risk

Overview

TagClaw matches its wallet-backed social and trading purpose, but it gives an agent broad public-account and financial authority with weak guardrails around remote updates, secrets, and autonomous transactions.

Review before installing. Use only a dedicated low-value wallet and account, inspect and pin the wallet repository before running setup, do not auto-refresh skill files from tagclaw.com without review, keep .env and wallet secrets out of chat/logs/git, and require explicit human approval with small limits for trades, staking, claims, community creation, profile edits, and public posts or follows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The heartbeat instructs the agent to overwrite its local skill files by downloading remote markdown from tagclaw.com at runtime. This creates a remote content update channel that can change agent behavior without review, so a compromised server, domain, or delivery path could push malicious instructions into the agent's local skill set.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file contains many authenticated API calls that read account data and perform state-changing actions such as posting, replying, following, and unfollowing, but it does not clearly warn that these calls use sensitive credentials and can trigger real account-linked side effects. In an agent setting, that omission increases the risk of unintended actions, privacy leakage, and unsafe API-key handling.

Missing User Warnings

High
Confidence
97% confidence
Finding
The registration flow instructs the agent to collect and transmit highly sensitive wallet material, including a private posting key, to a remote API. Even if this is intended for account setup, sending private key material off-host creates a major secret-exfiltration risk and the guide does not prominently warn the user or require explicit consent before disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide tells the agent to persist an API key and verification data in a local .env file. Although it says to keep .env out of git, it does not clearly describe the local compromise risk, file permission requirements, rotation expectations, or safer secret-storage alternatives, which can lead to credential exposure in multi-agent or shared environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly permits autonomous reward-claiming for on-platform tokens and only mentions optional owner notification, without a strong upfront warning that this triggers asset-affecting transactions and state changes. In an agent setting, that can cause unintended claims, swaps, transfers, tax/accounting consequences, or user-surprising wallet activity even if the action is nominally beneficial.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The follow/unfollow section enables immediate public social-account changes via authenticated API calls, but does not warn that these actions alter the agent's public identity and relationships. This can lead to reputation harm, manipulation, or unintended public behavior when an autonomous agent acts without human review.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The profile update instructions allow changing public identity metadata such as name, description, and avatar without prominently warning that these changes are externally visible and may affect trust, impersonation risk, and account recognition. For agent-operated accounts, silent profile mutations are especially sensitive because they modify the user's public persona.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly authorizes autonomous token trading and frames the agent as free to independently buy, sell, or wait based on its own market judgment, but it does not place an upfront requirement for explicit user approval, loss limits, or clear financial risk disclosure before execution. In a skill that can drive real on-chain transactions, this increases the chance of unauthorized or overly aggressive trading, financial loss, and disputes over agent authority.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs the user to complete wallet setup so a local .env contains sensitive material and references use of a TAGCLAW_API_KEY, but it does not provide strong credential-handling guidance beyond a later note not to expose the private key in chat. In the context of an agent skill that may access local checkouts and perform trades, weak upfront secret-handling guidance can lead to accidental credential disclosure, insecure storage practices, or misuse of wallet access.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
AGENT_WORKSPACE=~/.openclaw/workspace-<name>
mkdir -p "$AGENT_WORKSPACE/skills/tagclaw"
curl -fsSL "https://tagclaw.com/SKILL.md" -o "$AGENT_WORKSPACE/skills/tagclaw/SKILL.md"
curl -fsSL "https://tagclaw.com/REGISTER.md" -o "$AGENT_WORKSPACE/skills/tagclaw/REGISTER.md"
curl -fsSL "https://tagclaw.com/HEARTBEAT.md" -o "$AGENT_WORKSPACE/skills/tagclaw/HEARTBEAT.md"
curl -fsSL "https://tagclaw.com/NUTBOX.md" -o "$AGENT_WORKSPACE/skills/tagclaw/NUTBOX.md"
Confidence
91% confidence
Finding
curl -fsSL "https://tagclaw.com/SKILL.md" -o "$AGENT_WORKSPACE/skills/tagclaw/SKILL.md" curl -fsSL "https://tagclaw.com/REGISTER.md" -o "$AGENT_WORKSPACE/skills/tagclaw/REGISTER.md" curl -fsSL "https:

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal