ClawHub

Flap Skills

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates live crypto token creation, approvals, trading, worker-wallet funding, and volume-generation, but it gives the agent too much autonomous financial authority for a single trigger.

Install only if you fully understand the on-chain financial automation. Use a fresh low-balance wallet, avoid unlimited approvals where possible, confirm every address and amount before execution, set explicit bot rounds and gas budgets, revoke allowances and remove allowed callers after use, and protect or delete generated worker key files. Do not use the 做市/刷量 workflow unless you have confirmed it is lawful and acceptable for the token and venue involved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill explicitly relies on MCP environment secrets such as PRIVATE_KEY, but the manifest does not declare corresponding permissions or clearly scope secret access. Hidden secret-dependent behavior reduces transparency and makes it harder for users or platforms to reason about what sensitive capabilities the skill will exercise.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description understates material behaviors: uploading metadata externally, generating and storing worker private keys, deriving addresses, computing vanity salts, and auto-collecting funds. This mismatch prevents informed consent and can hide sensitive operations involving off-chain data disclosure, key material, and movement of assets.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to autonomously transfer BNB to generated worker wallets as part of execution, expanding from trading assistance into discretionary fund disbursement. Because these wallets are freshly generated and controlled through locally stored private keys, this creates a direct path for unreviewed asset movement and possible loss or abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill directs the agent to grant effectively unlimited USDT allowance to the contract for market-making. Unlimited approval creates open-ended exposure: if the contract is compromised, buggy, or behaves unexpectedly, the user's full approved USDT balance can be drained without further consent.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The skill authorizes autonomous top-up transfers to worker or even log-indicated addresses without owner approval. Allowing logs or runtime hints to influence transfer destinations creates a severe risk of arbitrary fund transfers to attacker-controlled addresses and bypasses any meaningful consent boundary.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script uses child_process.execSync to invoke a separate local script on shutdown, inheriting the full environment including private keys and operational variables. In a skill context handling blockchain funds, spawning external local code broadens the trust boundary: if mm-collect.js is modified, replaced, or path-resolved unexpectedly, it can exfiltrate secrets or transfer assets to an attacker-controlled address.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads a batch of raw private keys from a local file and immediately uses them to derive accounts capable of moving all assets from those wallets. Even if intended for operator-owned worker accounts, this creates a highly sensitive credential-handling path with broad fund-drain capability that is not clearly disclosed by the skill description and would be catastrophic if the file path or key file were misused or exposed.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script performs post-operation consolidation of all token and BNB balances from multiple worker wallets into a single target address, effectively acting as a fund-sweeper. In the context of a trading/token-creation skill, this undisclosed custodial asset movement materially increases risk because an operator, compromised environment, or altered target address could redirect all worker funds in one run.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README explicitly states that the agent will autonomously transfer BNB for gas, approve USDT to the skill contract, register worker callers, and even top up worker gas without additional owner approval. In a skill that can move real on-chain assets via a configured PRIVATE_KEY, this creates a serious risk of unexpected or irreversible fund movement if the user misunderstands the behavior or if the workflow is triggered unintentionally.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill normalizes funding worker wallets and later re-fueling them, but does not prominently warn the user that it will send native tokens to multiple autonomous addresses under its control. This weakens informed consent for repeated asset transfers and increases the chance of unnoticed cumulative loss.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs the agent to approve max uint256 USDT spending without a strong upfront warning. Users may reasonably interpret the action as limited to the requested market-making budget, while in reality the contract receives authority over far more funds than needed.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill states that setAllowedCallers will automatically burn 50,000 tokens from the funder, but this destructive side effect is buried in workflow details rather than surfaced as a clear pre-transaction warning. A user may unknowingly authorize irreversible token destruction while believing they are only enabling worker permissions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description states that saying a simple trigger phrase, “蝴蝶技能”, activates a skill that can create tokens, trade USDT, and perform market-making behavior. Because the activation phrase is broad and the skill controls high-risk blockchain operations, accidental or context-induced invocation could lead to unintended financial actions and token manipulation workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document gives operational instructions for approving USDT and executing token purchases without a clear, prominent warning that approvals authorize token spending and that transactions are irreversible once signed. In a trading skill that directly interfaces with live assets, omission of these warnings materially increases the risk of accidental loss or over-approval by users.

Missing User Warnings

High
Confidence
98% confidence
Finding
The document explicitly notes that sellTokens has no slippage protection but does not elevate this into a strong warning about potentially severe execution loss, MEV exposure, or receiving much less USDT than expected. Because it instructs users how to sell live positions, this omission can directly lead to substantial financial harm under volatile or manipulated market conditions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The percentage-based sell flow allows 10000 bps = 100% liquidation, yet the documentation does not clearly warn that users may unintentionally sell their entire position if they misunderstand basis points. Combined with no slippage protection, this creates a serious risk of accidental full liquidation at poor execution prices.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Reading private keys from a JSON file without prominent warnings or defensive handling encourages insecure operational practices around extremely sensitive credentials. This is dangerous because users may store long-lived keys in plaintext on disk, where theft, accidental commit, or path confusion could enable total compromise of all worker wallets.

Missing User Warnings

High
Confidence
95% confidence
Finding
The script sends irreversible token and BNB transfers from every loaded worker wallet to a target address without any confirmation step, simulation, or destructive-operation warning. In this skill context, that is especially dangerous because the tool already automates multi-wallet market-making behavior, so a single mistaken target, wrong token address, or malicious environment change could sweep many wallets at once.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script generates blockchain worker private keys and stores them in a plaintext JSON file on local disk, which creates a direct credential-exposure risk if the host is compromised, the working directory is synced/backed up, or file permissions are too broad. In this skill's context, these keys are immediately usable for market-making wallets on BNB Chain, so disclosure can let an attacker seize wallet control, drain funds, or manipulate the bot's activity.

Ssd 4

High
Confidence
97% confidence
Finding
The narrative reframes increasingly broad financial actions—worker funding, approvals, registration, and script launch—as implicitly authorized once the user asks for market-making. This is dangerous because it collapses multiple sensitive consent checkpoints into a single natural-language trigger and encourages unchecked autonomous asset operations.

Ssd 1

High
Confidence
95% confidence
Finding
The skill uses role framing to define broad transfers and approvals as already authorized components of the user's request. This is a social-engineering pattern that pressures the agent to bypass normal caution around financial actions and reduces the likelihood of obtaining meaningful user consent.

Ssd 3

High
Confidence
94% confidence
Finding
The skill instructs the agent to read locally stored worker private-key files and use them for autonomous execution. Creating and persisting private keys on disk increases the risk of key disclosure, reuse, unauthorized spending, and compromise through other local processes or future sessions.

Ssd 4

High
Confidence
99% confidence
Finding
The workflow explicitly escalates to repeated autonomous top-ups based on logs or user hints, without restoring a confirmation gate. This creates an attacker-friendly loop where crafted outputs or operational noise can trigger additional transfers indefinitely or to unauthorized destinations.

Ssd 4

Medium
Confidence
99% confidence
Finding
This section documents buyForCaller/sellForCaller and allowed-caller workflows specifically in the context of 做市/刷量, i.e. market-making and wash-trading/volume manipulation. Normalizing and operationalizing coordinated artificial volume generation is dangerous because it enables deceptive trading activity, can facilitate fraud against market participants, and increases regulatory, platform, and financial risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"mm-bot": "node scripts/mm-bot.js"
  },
  "dependencies": {
    "axios": "^1.6.0",
    "form-data": "^4.0.0",
    "viem": "^2.0.0"
  }
Confidence
82% confidence
Finding
"axios": "^1.6.0"

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal