ClawHub

Niuma Bounty

Security checks across malware telemetry and agentic risk

Overview

This skill is for a real on-chain bounty workflow, but it can sign and broadcast high-impact blockchain transactions with a raw wallet key while some risks are under-disclosed.

Install only if you intend to use this skill for Niuma on-chain actions. Prefer the unsigned transaction flow with an external wallet, use a dedicated testnet wallet with minimal funds, avoid putting a valuable private key in NIUMA_WALLET_SECRET, verify contract addresses and calldata before signing, and treat approvals, payouts, staking, referral binding, and email/social bindings as public and persistent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file header states the CLI is limited to read-only queries and unsigned transaction building, but the implementation includes many state-changing functions that sign and broadcast transactions using NIUMA_WALLET_SECRET. This mismatch can mislead an agent or user into granting broader trust than warranted, increasing the chance of unintended on-chain writes, approvals, staking, identity binding, or fund movement.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The help text repeats the misleading claim that the tool is for read-only queries plus unsigned transaction building, while also exposing numerous write commands that directly submit signed transactions. In an agent setting, deceptive capability descriptions are dangerous because planners may choose the tool under false assumptions and trigger irreversible blockchain actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises capabilities that can trigger meaningful on-chain actions, including publishing tasks, reviewing outcomes, bidding, and especially ERC20 authorization management, but it does not warn users that these operations may create transactions, spend funds, grant token allowances, or have irreversible effects. In a blockchain skill, missing user-facing safety warnings increases the risk of users invoking dangerous actions without understanding approval scope, transaction finality, or testnet/mainnet confusion.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrase '提交凭证' is broad and can overlap with ordinary conversation, which can cause the agent to enter a transaction-preparation flow without sufficient contextual confirmation. In a wallet-connected skill, ambiguous activation raises the risk of unintended collection of proof data and progression toward a state-changing blockchain action.

Vague Triggers

Medium
Confidence
94% confidence
Finding
Using generic phrases like '审核' or '查看提交' as triggers is dangerous because they can map to an approval or rejection workflow for blockchain submissions, including irreversible payout decisions. The surrounding context explicitly notes approval is irreversible and transfers bounty immediately, so ambiguous triggering materially increases the chance of unintended asset movement.

Natural-Language Policy Violations

Low
Confidence
86% confidence
Finding
The lockfile pins package downloads to a non-default HTTP mirror (`mirrors.tencentyun.com`) rather than the standard npm registry. Because this uses plain HTTP, dependency tarballs and metadata could be tampered with in transit, undermining supply-chain integrity even if integrity hashes provide some protection; it also forces all installs through a region-specific third party without explicit user consent.

Natural-Language Policy Violations

Low
Confidence
86% confidence
Finding
Additional transitive dependencies are also resolved from the same China-specific HTTP mirror, extending the trust boundary to more packages and increasing exposure to mirror compromise or traffic interception. In a skill that ships a CLI and depends on blockchain libraries, supply-chain tampering could lead to credential theft, malicious transaction behavior, or other code execution during runtime.

Natural-Language Policy Violations

Low
Confidence
85% confidence
Finding
The repeated use of a region-specific mirror throughout the lockfile indicates the project enforces a nonstandard package source rather than inheriting a user's registry choice. In this context, the dependency set includes `ethers` and related crypto/network packages, so any successful substitution of package content could have outsized impact on wallet operations, secret handling, or network communications.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The bind-email, bind-telegram, and bind-twitter commands write personal identifiers directly on-chain without a strong privacy warning at the point of use. Because blockchain data is public and effectively permanent, users may unknowingly expose sensitive contact information that can be harvested, correlated, or abused.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal