ClawHub

Agentic Street

Security checks across malware telemetry and agentic risk

Overview

This DeFi skill is mostly coherent, but it needs review because it can help submit real financial transactions through a third party and overstates some veto protections.

Install only if you are comfortable with agent-assisted DeFi operations. Leave BANKR_KEY unset unless you intentionally want third-party transaction submission, verify every transaction target, chain, calldata, amounts, and slippage before signing, and do not assume all trades have a veto window. Run the watcher only with a trusted local hook and protect all API keys from logs, shells, and shared environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documented watcher does more than poll for notifications: it sends an authenticated POST to a local OpenClaw agent hook, which can wake or trigger downstream agent behavior based on remote server-controlled events. That expands the trust boundary from passive notification retrieval to local agent orchestration, and if the remote notification source is compromised or abused, it could cause unintended local actions or agent wakeups.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The guide instructs users to request unsigned transactions for finalise and cancel flows that directly affect custody and fund lifecycle, but it does not explicitly warn users to verify the contract address, chain, method, and economic consequences before signing. In a financial agent context, this omission increases the risk of users signing the wrong transaction target or misunderstanding an irreversible action that can cancel a raise or change fund state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The wind-down section documents an irreversible operation that cancels pending proposals, settles fees, and enables immediate LP withdrawals, but it lacks a strong, explicit caution callout immediately adjacent to the action. In a finance/DeFi manager skill, this increases the chance of an operator triggering a permanent state change without appreciating that remaining external positions may become stranded and management fee claims may be forfeited.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Uniswap example uses `amountOutMin: "0"`, which effectively disables slippage protection and can allow severe value loss from adverse price movement or sandwich/MEV attacks. Because the adapter path executes instantly with no veto window, presenting this as a recommended example in a live DeFi fund-management guide makes accidental unsafe execution more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The watcher acknowledges notifications immediately after attempting hook delivery, and both calls suppress errors with '|| true'. This can permanently advance the ack floor even if the local agent never actually processed the event, causing missed alerts or lost opportunity to review/veto time-sensitive proposals.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation repeatedly instructs users to send authenticated requests with a bearer API key but does not warn them to protect the credential from shell history, logs, screenshots, shared terminals, or accidental publication. In a finance/withdrawal workflow, exposed API keys could let an attacker query or initiate sensitive account actions through the platform API, increasing account-takeover or unauthorized transaction-preparation risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When BANKR_KEY is present, the script automatically submits the veto transaction to a third-party service without any interactive confirmation, dry-run, or explicit opt-in flag. In a financial/transaction-signing context, this increases the chance of unintended irreversible actions caused by operator error, misconfigured environment variables, or automation pipelines.

External Transmission

Medium
Category
Data Exfiltration
Content
**Via Bankr (if you have the Bankr skill):**

```bash
curl -X POST https://api.bankr.bot/agent/submit \
  -H "Content-Type: application/json" \
  -H "X-API-Key: $BANKR_KEY" \
  -d '{
Confidence
87% confidence
Finding
https://api.bankr.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
if [ -n "$BANKR_KEY" ]; then
  echo "Submitting veto via Bankr..."
  curl -s -X POST "https://api.bankr.bot/agent/submit" \
    -H "X-API-Key: $BANKR_KEY" \
    -H "Content-Type: application/json" \
    -d "{\"transaction\": $RESULT, \"waitForConfirmation\": true}" | jq '.'
Confidence
93% confidence
Finding
curl -s -X POST "https://api.bankr.bot/agent/submit" \ -H "X-API-Key: $BANKR_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
if [ -n "$BANKR_KEY" ]; then
  echo "Submitting veto via Bankr..."
  curl -s -X POST "https://api.bankr.bot/agent/submit" \
    -H "X-API-Key: $BANKR_KEY" \
    -H "Content-Type: application/json" \
    -d "{\"transaction\": $RESULT, \"waitForConfirmation\": true}" | jq '.'
Confidence
93% confidence
Finding
https://api.bankr.bot/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Adapter Path (Recommended)

One proposal. No approval step. The server encodes the calldata for you.

**Supported adapters and actions:**
Confidence
84% confidence
Finding
No approval

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal