ClawHub

FourClawFun

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about launching crypto tokens, but it enables high-impact public blockchain actions through direct API calls without strong confirmation, reversibility, or privacy guidance.

Review carefully before installing. Only let an agent use this skill after you explicitly approve the exact platform, token name, symbol, creator wallet, tax rate, recipients, social metadata, and 20% platform fee. Treat any POST to the launch endpoint as a real public blockchain action, not a routine content-generation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill documents a token-launch API that creates on-chain assets and enforces fee allocation, but it does not prominently warn that invoking the API can trigger irreversible financial and blockchain actions. In an agent context, this is dangerous because a model or user may treat the operation as routine content creation rather than a high-risk transaction with lasting consequences.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples instruct sending wallet addresses, agent identifiers, names, and social metadata to a third-party service without any privacy, data-handling, or consent warning. In agent-driven workflows, this can lead to unnecessary disclosure of sensitive operational metadata to an external service without users understanding what is being transmitted.

External Transmission

Medium
Category
Data Exfiltration
Content
### **Example 1: BAGS - Basic**
```bash
curl -X POST https://fourclaw.fun/api/launch \
  -H "Content-Type: application/json" \
  -d '{
    "platform": "BAGS",
Confidence
95% confidence
Finding
curl -X POST https://fourclaw.fun/api/launch \ -H "Content-Type: application/json" \ -d '{ "platform": "BAGS", "name": "AI Agent Token", "symbol": "AGENT", "agentId": "my_ai_agent"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal