ClawHub

Element NFT Drops

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Element NFT drop purpose, but it handles wallet authority and live blockchain/API mutations with enough under-scoped advanced paths that users should review it carefully before installing.

Install only if you are comfortable giving this skill a dedicated low-risk wallet private key via environment variable and letting it create/update/publish NFT drops. Always run the documented --preview command and confirm the exact chain, slug, symbol, and transaction before execution. Avoid the advanced utilities unless you have reviewed the code, especially verify-ref-graphql, create-token, and post-create-collection, because they can authenticate, print sensitive authorization tokens, mutate Element data, or broadcast transactions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The file embeds two GraphQL authentication tokens as hardcoded byte arrays and reconstructs them at runtime, which is a form of secret-in-code obfuscation rather than protection. Any user with source or built artifact access can recover the tokens and use them to access Element GraphQL services outside intended controls, potentially causing unauthorized API use, quota abuse, or access to privileged operations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The workflow directly calls sendTransaction after receiving the encoded transaction, causing an immediate on-chain state change with no preview or confirmation gate in this file. That violates the skill contract requiring every state-changing flow to present an execution preview and wait for explicit confirmation, which is dangerous because token creation and contract deployment are irreversible and can spend funds or create unintended assets.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This workflow performs token creation, which is broader and riskier than the manifest-described drop-management actions and can deploy or initialize on-chain assets outside the expected user scope. A skill advertised for Element drop setup and management becomes more dangerous when it can create a token/contract, because users and orchestrators may not anticipate this capability or apply the right confirmation UX.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This verification/example workflow performs a real state-changing mutation via `graphql.collectionEdit`, which contradicts the implied read-only purpose of the function. In the context of an agent skill where state-changing flows must be previewed and confirmed first, embedding a live mutation in a verification helper risks unintended edits to production collections if the script is run with valid credentials.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function name `verifyRefGraphqlExamples` suggests harmless verification of examples, but it authenticates with a real wallet and includes an actual collection mutation. This mismatch is dangerous because operators, reviewers, or automation may execute it assuming it is non-destructive, leading to accidental state changes under privileged credentials.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The failure logger emits the full request URL and a summarized but still largely unredacted response body to stderr. URLs often contain query parameters, identifiers, signed links, or API inputs, and response bodies may include secrets, user data, or internal error details; truncation limits size but does not prevent sensitive-data disclosure. In this NFT/drop-management skill, external API errors may involve collection metadata, wallet-related identifiers, signed media URLs, or backend diagnostics, which increases the likelihood that logs become a secondary data-exposure channel.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This code accepts a raw private key, derives/signs with it in-process, and immediately exchanges the resulting signature for a remote authentication token without any built-in consent, warning, or friction. In an agent skill context that can act on behalf of a user, this is dangerous because users may be prompted to supply highly sensitive wallet material and the skill can authenticate to an external service as that wallet, enabling account misuse if the key is exposed, mishandled, or logged elsewhere in the flow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code creates authorization, calls a remote token-creation API, and broadcasts a transaction without any visible user disclosure or confirmation checkpoint in the flow. In a skill that is supposed to distinguish preview from execution, undisclosed networked state-changing operations increase the risk of users unknowingly authorizing external actions and on-chain effects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This flow performs state-changing operations that can publish an NFT drop, update remote project configuration, and submit an on-chain transaction via sendTransaction without any confirmation or gating in the workflow itself. In the context of this skill, the metadata explicitly requires every state-changing flow to show an execution preview and wait for confirmation, so this omission increases the chance of accidental or unauthorized publication if an upstream caller invokes the function directly or forgets to enforce confirmation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code pulls a required wallet private key directly from environment configuration and uses it to derive identity and authenticate API actions, without any visible guardrails, operator notice, or scope limitation in this workflow. In a skill that can manage NFT drops and collections, silent use of signing credentials raises the risk of unauthorized or accidental privileged actions if the script is run in the wrong environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal