ClawHub

IQDB

Security checks across malware telemetry and agentic risk

Overview

This is a coherent documentation-only skill for Solana on-chain storage, with real wallet, payment, and permanence risks that users must handle carefully.

Install only if you understand Solana transaction signing and permanent public blockchain storage. Use a dedicated low-balance wallet, test on devnet, verify installer and package sources, manually approve payments and mainnet writes, and do not put private keys, passwords, personal data, regulated data, or confidential files on-chain unless they are protected by well-reviewed client-side encryption.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to execute a remote installer via curl piped directly to sh, which removes an opportunity to inspect the downloaded script before execution. If the distribution endpoint, transport, or upstream release process were compromised, users could execute arbitrary code on their machine during setup.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup creates a Solana keypair file locally and configures it as the active wallet, but does not warn users that this file is a private signing credential that must be protected. In the context of on-chain storage and especially the mainnet guidance later in the document, loss or leakage of this key could allow unauthorized transactions and fund theft.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document promotes permanent on-chain storage and a payment-gated inscription flow without clearly warning users, up front, that uploaded data becomes publicly retrievable and effectively irreversible. In this skill’s Solana/on-chain storage context, that omission is materially risky because users may upload sensitive or regulated data under the mistaken assumption that this behaves like ordinary file storage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill presents hanLock as providing 'lightweight privacy' for data written on-chain, but it does not explicitly warn that Solana transaction data is public, permanent, and broadly accessible. This can mislead users into storing secrets, passwords, or sensitive personal data under the false assumption that password-based encoding meaningfully secures confidentiality, when in practice encoded ciphertext is still permanently exposed for offline attack and future compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal