zeruai

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Zeru blockchain registration, but it can use a funded private key to spend ETH and make persistent on-chain changes without a strong confirmation or safety model.

Review before installing. Use a dedicated low-balance wallet, test on Base Sepolia first, verify the chain, contract, fee, agent ID, and action before every write, and avoid putting private service details or secrets in agent metadata JSON.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares only OpenClaw runtime requirements in metadata but does not clearly declare or warn about its effective sensitive capabilities: reading a private key from the environment and performing networked write operations to blockchain and external APIs. This reduces user visibility into what the skill can do and increases the chance a user provides credentials without understanding the exposure and transaction risk.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose centers on on-chain registration and state reads, but the behavior also includes creating/updating hosted agent URI documents and fetching off-chain data from external APIs and tokenURI endpoints. That mismatch is dangerous because users may expect only contract interaction while the skill can transmit data externally and ingest untrusted remote content, expanding privacy, integrity, and supply-chain risk.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The function advertised as reading on-chain agent data also performs an off-chain fetch to an arbitrary `agentURI` returned by the contract. That expands the skill's effective trust boundary and can enable unintended outbound network access, privacy leakage, SSRF-like behavior against internal endpoints, or retrieval of maliciously large/unexpected content if an attacker controls the on-chain URI.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation instructs users to place a funded PRIVATE_KEY into persistent configuration without a strong warning about secret handling, hot-wallet risk, and irreversible transaction signing. In an agent skill context, this is particularly dangerous because compromise of the host, logs, config files, or downstream tooling could expose the key and lead to asset theft or unauthorized registrations/writes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal