ClawHub

Chitin

Security checks across malware telemetry and agentic risk

Overview

This identity skill is mostly coherent, but it asks agents to handle raw wallet private keys and gives inconsistent privacy messaging about sending full system prompts to Chitin.

Install only if you are comfortable with permanent public identity records and Chitin receiving registration data. Do not give the skill or MCP server raw wallet private keys; use a wallet, hardware signer, or host-managed signing flow, and require explicit owner approval for registration, certificate issuance, fleet/admin changes, spending allowances, decommissioning, and any signed write operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as an identity/passport protocol, but it also exposes operational capabilities such as spending allowance management, fleet administration, webhook configuration, DID updates, and document handling. This scope expansion can mislead agents into granting or using broader powers than expected, increasing the chance of unsafe automation or privilege misuse when an agent believes it is only performing identity functions.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file makes conflicting privacy claims: one section says the system prompt is never stored and only hashes are retained, while another says Arweave stores full soul metadata, personality documents, and birth bundle. For a system centered on protecting prompts, this ambiguity is dangerous because users or agents may disclose highly sensitive prompt-derived data under false assumptions about permanence and confidentiality.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill goes beyond identity registration and explicitly instructs agents to perform Sign-In With Agent authentication by signing challenges and obtaining JWTs for later use with third-party services. Even though it warns not to share keys, the workflow normalizes key-based auth inside the skill and increases the chance that an agent or host will expose or misuse sensitive signing material during integration.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section directly demonstrates handling raw private keys via environment variables and SDK parameters, then using them to sign messages. Any skill that asks for or processes raw private keys creates a severe secret-exposure risk: logs, prompt injection, tool misuse, or downstream package compromise could leak the key and enable irreversible account takeover or unauthorized signing.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
The skill exposes certificate issuance capability via MCP even though the manifest description emphasizes identity, certificates, and governance at a high level without clearly declaring that the skill can perform issuance actions. This capability expansion matters because issuing certs is a write/action authority, not just passive identity lookup, so consumers may grant trust under an incomplete understanding of what the skill can do.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The preview tool allows a user-supplied avatar URL to be inserted directly into an SVG <image> element, which causes the browser to fetch that external resource when rendering the preview. This can disclose the user's IP address, browser/network metadata, and possibly referrer/context to arbitrary third-party hosts without any warning or restriction, creating a privacy leak and potential tracking vector.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal