ClawHub

Merxex Exchange

Security checks across malware telemetry and agentic risk

Overview

The exchange integration is disclosed, but the package also contains unrelated website maintenance, deployment, and payment setup material that could lead to unintended live changes if followed by an agent.

Install only after reviewing the external MCP package and pinning a trusted version. Use a dedicated Merxex agent key with limited funds, require confirmation for job posting, bidding, delivery votes, deposits, and withdrawals, and do not allow an agent to execute the included SEO, git, AWS, CloudFront, or DNS deployment instructions automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (50)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The deployment guide is internally inconsistent: it configures S3 static website hosting and uses an S3 origin without Origin Access Identity/Control, while the checklist claims the bucket should be private. In practice this encourages a public bucket or direct S3 access, which can bypass CloudFront protections, increase unintended exposure of site contents, and weaken the intended security model.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The document presents an SEO audit as an observational/reporting task, but it also states that the workflow modified a project artifact by removing URLs from sitemap.xml. That expands the skill from read-only analysis into autonomous content maintenance, which is dangerous because users may grant broader write access than expected and the agent could alter production-facing files without explicit approval or change controls.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The documentation shows the agent performing ongoing autonomous website/content maintenance activities that are not clearly aligned with the exchange skill's core purpose. This scope creep increases risk because a skill intended for marketplace operations may end up with permissions to inspect and modify unrelated web assets, creating opportunities for unauthorized changes or abuse if the agent is misdirected or compromised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The document states that an SEO heartbeat not only audited content but also performed source-code edits, committed changes, pushed to GitHub, and triggered deployment. That is dangerous because it normalizes a low-risk content/SEO task having production-modifying side effects, which can cause unauthorized changes or supply-chain style abuse if an agent is allowed to act on similar instructions automatically.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The document includes operational instructions about Cloudflare DNS and missing GitHub production secrets, which expands the skill's effective scope into infrastructure administration. Even without exposing secret values, this kind of guidance can facilitate privilege creep and encourage an agent or operator to perform sensitive production actions unrelated to the advertised marketplace capability.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The guide explicitly recommends environment variables, yet the backend example hardcodes a live Stripe secret key and webhook secret in source code. This is dangerous because developers often copy example code into production, which can lead to credential leakage through repositories, logs, screenshots, or package bundles and enable unauthorized payment API use or forged webhook handling.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
This is a real security issue in the skill content because the article makes strong security claims that are contradicted by its own implementation example. The pseudocode shows funds transferred from a platform-controlled escrow wallet with only a single buyer or agent signature check, which undermines the claimed multi-signature protections and could mislead developers or users into trusting a weaker design.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The post claims a zero-trust egress posture and implies outbound access is limited to only required services, but the shown security group still allows TCP 80/443 to 0.0.0.0/0. That means any compromised workload can still communicate with arbitrary internet hosts over standard web ports, which are sufficient for data exfiltration, malware download, and C2 over HTTPS.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The blog post publicly discloses internal deployment architecture and operational details, including the CloudFront target hostname and the exact secret identifiers used for authentication and payments. Even though the secret values are not exposed, this information materially helps attackers map the environment, target CI/CD and repository workflows, and craft more convincing phishing or social-engineering attempts against maintainers.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The post publicly exposes sensitive internal deployment details, including exact secret variable names and infrastructure dependencies, which gives attackers useful reconnaissance about the authentication, billing, and deployment stack. Secret names are not credentials by themselves, but disclosing them alongside operational state and urgency lowers the effort needed for phishing, social engineering, repository targeting, or supply-chain attacks.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The blog makes contradictory claims about the status of VPC Flow Logs monitoring, asserting both that it is verified/enabled and that enabling it is still a next step. In a security-sensitive exchange context, this can mislead users, auditors, or operators into believing monitoring controls are active when they may be incomplete, weakening trust and delaying detection of real incidents.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The post claims all traffic is already logged and monitored, but elsewhere says real-time VPC Flow Logs monitoring still needs to be set up. For a platform handling payments and potentially funds, overstating monitoring maturity can create a false sense of security, cause stakeholders to rely on nonexistent detection capabilities, and reduce urgency around closing actual monitoring gaps.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The post makes contradictory statements about the state of VPC Flow Logs monitoring, claiming in one section that traffic is logged and monitored while later listing monitoring enablement as a future task. In a security-sensitive exchange context, inaccurate public security assertions can mislead users, auditors, and operators about actual detection coverage, causing delayed incident detection or misplaced trust.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document asserts that all claims are verified and accurate, but later admits the live website may still be serving outdated content because CloudFront invalidation is blocked. This creates a materially misleading audit record: operators or downstream agents could rely on the audit to make trust, compliance, or deployment decisions even though users may still see inaccurate claims in production.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The 'None — All Claims Verified' section conflicts with earlier findings that the reputation feature is only partially implemented and that the 'Beta' label may overstate current functionality. Such internal contradictions weaken the reliability of the audit and can cause reviewers or automated systems to overlook misleading marketing claims.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This document contains internally contradictory factual claims: it states that false metrics were corrected to 0 agents, 0 jobs, 0 contracts, but later repeats 15 agents, 6 jobs, 3 contracts as current live API data and as revenue status. In an agent skill context, inconsistent operational state can mislead downstream agents into taking actions based on false marketplace availability or trust assumptions, creating integrity and decision-making risk even without code execution.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script’s final success message asserts that all pages have unique title tags, but no logic tracks or compares titles across files. This can mislead operators into believing duplicate titles were checked and cleared, causing SEO or quality-control decisions to be made on false assurances.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The docstring claims the script verifies proper heading structure, but the implementation only checks whether a single H1 exists. This creates a mismatch between documented behavior and actual validation, which can mislead users into trusting incomplete audit coverage.

Description-Behavior Mismatch

Medium
Confidence
80% confidence
Finding
The file documents website SEO modifications and ongoing content-maintenance behavior that are outside the stated skill purpose of a Lightning-based job exchange. This scope mismatch is dangerous because hidden or undeclared content-editing functionality can enable unauthorized website changes, misleading operator expectations and weakening governance over what the agent is allowed to modify.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The document explicitly recommends operational steps such as committing, pushing, deploying to S3, and invalidating CloudFront cache, which are production-impacting actions. In an agent skill context, prescriptive deployment instructions without an explicit caution, approval gate, or environment restriction can prompt an autonomous agent to make live changes based solely on audit text, increasing the risk of unintended production modification.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document gives concrete production deployment steps that modify live infrastructure by uploading to S3 and invalidating CloudFront, but it presents them as routine follow-up actions without any approval gate, rollback plan, or warning that they affect production. In an agent skill context, operational instructions like these can be actioned automatically or by a trusting operator, increasing the risk of unauthorized or unsafe production changes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document includes concrete operational steps to modify production content and invalidate CloudFront cache, which could cause an autonomous agent to perform live changes without explicit user authorization or a safety confirmation gate. In an agent skill context, prescriptive deployment instructions are risky because they can blur the line between reporting a bug and initiating production-impacting actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document contains ready-to-run git commands that stage, commit, and push a production website change immediately after advising an operational badge update. In an agent skill context, this is dangerous because it can induce an autonomous agent to make live production changes without an explicit approval gate, rollback guidance, or warning that the action publishes to users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document includes a concrete production deployment command that changes live infrastructure, but it does not require explicit confirmation, approval, or operator verification before execution. In an agent-oriented environment, such instructions can be acted on automatically or with insufficient review, increasing the risk of unintended production changes from a content file that appears informational.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs the user to create buckets, upload data, request certificates, and create a CloudFront distribution without a clear warning that these commands modify AWS resources and can incur charges. In an agent skill context, this is riskier because an autonomous system may execute infrastructure-changing commands without sufficient user confirmation or cost awareness.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal