ClawHub

Sui Decompile

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: help retrieve Sui contract source from public explorers, with some automation setup guidance users should review before using.

Install only if you are comfortable with a skill that may guide browser-based scraping of public Sui explorer pages. Do not let it run sudo installs, start local scraper processes, or use detection-avoidance techniques unless you explicitly approve them and they comply with the target sites' terms.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes explicit instructions to install and run local tooling (`apt-get install xvfb`, `node scraper.js`) and recommends anti-headless evasion to make automation appear like a real desktop browser. That goes beyond merely documenting how to view contract source and creates a pathway for agent-driven local subprocess execution and stealthier web automation, which increases misuse risk in environments where skills may be executed with host access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation explicitly advises using a virtual display to 'avoid headless detection,' which is anti-detection guidance, but it does not include a warning about compliance, terms-of-service, or the security implications of stealth scraping. In a skill intended to fetch and explain Sui contracts, this makes the behavior more dangerous because it normalizes evasive browsing unrelated to the core educational purpose.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal