ClawHub

Optionns

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being a devnet sports-betting trader, but it gives agents broad automatic transaction-signing authority with limited local safeguards.

Install only if you are comfortable with an agent signing and submitting Solana devnet transactions automatically. Use a throwaway devnet wallet, do not provide real private keys or mainnet RPC endpoints, review api.optionns.com trust, and avoid autonomous mode unless you have clear spending and stop conditions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The devnet-only safety control is implemented with permissive substring matching, so attacker-controlled or malformed URLs such as `https://api.devnet.solana.com.evil.example` can pass validation while sending signed transactions to an arbitrary host. In a signer helper, this is dangerous because the code will disclose signed transaction material and interact with unintended infrastructure despite documentation claiming devnet-only restrictions.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill repeatedly frames itself as devnet-only and low-risk, but the roadmap explicitly mentions a future mainnet transition. That mismatch matters because the same autonomous trading, credential storage, and signer workflow could later be reused with real assets, increasing the chance that operators normalize unsafe deployment assumptions before stronger safeguards exist.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The manifest describes 'autonomous sports micro-betting for AI agents' without any stated trigger boundaries, approval gates, spending limits, or operator consent requirements. In a financial and gambling context, this creates a real risk that an integrating agent may invoke trading behavior too broadly or continuously, leading to unauthorized wagering and financial loss.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API reference includes trade execution, deposits, and withdrawals with no explicit warnings about irreversible financial actions, slippage/quote expiry, testnet-vs-mainnet confusion, or the need for user confirmation before signing/submitting transactions. In an agent skill context, examples often become implementation guidance, so omission of these safeguards can lead agents to autonomously place trades or move liquidity without adequate consent and risk controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The WebSocket example passes the API key in the URL query string, which is commonly exposed in logs, browser history, proxy telemetry, and monitoring systems. Even over WSS, query parameters are more likely to be retained by infrastructure than headers, increasing the chance of credential leakage and unauthorized API use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes a newly issued API key to ~/.config/optionns/credentials.json automatically, without obtaining explicit consent before persisting sensitive credentials. Although chmod 600 reduces exposure, silent persistence of secrets increases the chance of unintended retention on shared, backed-up, or compromised systems.

Missing User Warnings

High
Confidence
94% confidence
Finding
After obtaining a quote, the script immediately signs and submits the blockchain transaction unless --dry-run is used, with no interactive confirmation or policy gate. In a trading/betting context, this can cause irreversible financial actions if the command is invoked with mistaken parameters, malicious automation, or manipulated upstream data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function signs and submits arbitrary Solana instructions supplied by the caller without any policy checks, simulation review, allowlist, or user confirmation. In an agent setting where instructions may come from an external API or model output, that makes this a high-risk transaction-signing primitive that can authorize unintended asset transfers or destructive program interactions; the devnet context reduces production impact somewhat, but the code itself still normalizes unsafe behavior and could be repurposed with other keys/endpoints.

Missing User Warnings

High
Confidence
98% confidence
Finding
The autonomous trading loop places bets and may sign and submit on-chain transactions without any interactive confirmation, explicit authorization gate, spending limit acknowledgement, or dry-run mode. In this skill's context, the code is expressly designed to make real wagering and settlement decisions automatically, so a bad model, bad API response, operator mistake, or compromised backend can directly trigger financial loss.

Missing User Warnings

High
Confidence
99% confidence
Finding
The deposit path requests a server-supplied instruction and immediately signs and broadcasts it with the local keypair, with no independent validation of the instruction contents and no user confirmation step. Even with devnet RPC enforcement, this pattern is dangerous because it trains users to blindly sign backend-provided transactions and would be severe if pointed at a different environment or reused in production-like settings.

Missing User Warnings

High
Confidence
99% confidence
Finding
The withdraw path has the same unsafe signing model as deposit: it takes a backend-provided instruction and immediately signs and submits it without a confirmation barrier or strict local validation. In a financial skill that manages blockchain assets, this increases the risk of unintended or malicious transactions if the API, configuration, or surrounding workflow is compromised.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest explicitly advertises 'Autonomous sports micro-betting' for AI agents but does not define approval gates, scope limits, stake limits, or concrete triggers for when trades may be placed. In a financial and betting context, broad autonomous language materially increases the risk of unintended or unauthorized value-moving actions by an agent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest describes creation of API credentials and a signing keypair alongside automated trade execution and payouts, but it does not present an explicit warning that the skill can place bets, sign transactions, and persist sensitive material locally. In a wallet-integrated betting skill, omission of a strong user warning increases the likelihood that users or host agents enable high-risk behavior without informed consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal