ClawHub

Clawdentials Escrow

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it connects agents to real crypto escrow and withdrawal tools with sensitive keys and too little safety scoping.

Install only if you are prepared to treat this as a real payment integration. Verify the publisher and npm package, pin and inspect the MCP server before use, use test funds first, require manual approval for every escrow release or withdrawal, and store the apiKey and nsec in a secret manager rather than prompts, logs, or project files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill prominently describes issuance of API keys, Nostr private keys (`nsec`), deposits, escrow, and withdrawals, but provides only a minimal note to save secrets and no meaningful security guidance on secure storage, non-sharing, phishing resistance, address verification, or the irreversibility of crypto transfers. In an agent context, this increases the chance that users or downstream agents mishandle credentials or initiate unsafe fund movements, leading to account takeover or permanent financial loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The API reference exposes issuance of sensitive credentials, including an API key and a Nostr private key (`nsec`), and documents money-moving and escrow operations without any explicit warning about secure secret storage, least-privilege handling, or the irreversible nature of withdrawals and fund release actions. In an agent-skill context, documentation is often consumed and operationalized directly by autonomous systems, so omission of safety guidance increases the chance that secrets are logged, mishandled, or that financial actions are executed without adequate confirmation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal