ClawHub

Openclaw Agentpmt Tool Binary To From File Converter 9bc86d

Security checks across malware telemetry and agentic risk

Overview

The skill appears to mix a file-conversion purpose with broader AgentPMT wallet, payment, marketplace, and remote-sharing flows that users should review carefully before installing.

Install only if you intend to use AgentPMT beyond file conversion. Before allowing use, require explicit approval for any wallet creation, credit purchase, payment signing, marketplace/job action, upload, or signed URL creation, and avoid sending sensitive files unless storage and retention are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill for a simple binary/file conversion utility includes instructions to create EVM wallets, buy credits, sign payment challenges, and participate in a jobs marketplace. That greatly expands the agent's operational scope into financial and identity-bearing actions, creating unnecessary risk of unauthorized spending, wallet creation, and execution of unrelated third-party workflows if the skill is invoked without strong user consent and policy gating.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill embeds marketing-style claims about access to 99 tools and many unrelated capabilities, which can encourage overly broad trust in the AgentPMT platform and blur the boundaries of what this specific skill should do. In an agent context, that scope inflation is dangerous because it can normalize lateral use of unrelated services beyond the user's requested binary conversion task.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to create wallets and purchase credits without a clear, prominent warning that these are financial and account-establishing actions with real asset implications. An agent following these instructions could create persistent accounts or trigger blockchain payments on a user's behalf without sufficiently informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool supports base64-to-file conversion, cloud storage, and generation of signed URLs, but the skill does not clearly warn that user data may be stored remotely and made retrievable via shareable links. This can expose sensitive uploaded or generated content to unintended retention, access, or sharing risks, especially when agents process private attachments or documents.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal