ClawHub

Golden Claw

Security checks across malware telemetry and agentic risk

Overview

This looks like a real GoldenClaw wallet skill, but it needs review because it auto-runs npm install at startup and can move real Solana assets.

Install only if you trust the GoldenClaw publisher and are comfortable with a skill that manages real Solana funds. Use a low-value dedicated wallet, verify the donation address before any SOL transfer, avoid pasting valuable seed phrases into agent or shell contexts, and run dependency installation in a controlled environment before use rather than relying on the runtime npm install path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The manifest advertises no permissions while the skill's documented behavior and detected capabilities require both network access and environment interaction. This undermines informed consent and security review, because an agent or operator may approve the skill without realizing it can reach external services and use local/runtime secrets or configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is narrower than the described behavior: it omits SOL donation flows, local wallet and tracking file management, dependency auto-installation, and additional on-chain inspection/simulation features. In a financial skill, this mismatch is dangerous because users may authorize token management while overlooking fund transfers, persistent secret/material storage, and package installation that expands the attack surface.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The README advertises a `gclaw donate <SOL>` command that moves native SOL to a treasury wallet, which goes beyond simple token balance/history management and introduces direct value transfer to a project-controlled address. In an agent skill context, documenting donation as a normal command can normalize fund transfers and increase the chance of unintended or socially engineered asset loss, especially if users assume the skill only manages GCLAW.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest description omits the documented `gclaw donate <SOL>` command, which sends SOL to a treasury address. Hiding or under-describing a direct value-transfer capability is particularly risky in a crypto skill because it can cause users or automated systems to trust and invoke the skill without understanding that native funds, not just the named token, may be moved.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code documents dual verification with blockchain as the tamper-proof source of truth, but if the on-chain check errors it proceeds with only the local file check. Because local claim records are just filesystem state, an attacker who can delete, modify, or bypass that local file can re-claim tokens whenever RPC errors or parsing failures occur, defeating the stated anti-double-claim control.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The function claims to perform a read-only treasury balance lookup, but it uses getOrCreateAssociatedTokenAccount with a generated signer, which can attempt state-changing account creation rather than a pure read. This mismatch can trigger unintended on-chain writes, fee spending, or inconsistent behavior, and it undermines operator expectations about what a balance check does.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
On module load, the skill checks for a local node_modules directory and unconditionally runs 'npm install' via execSync. This executes shell commands and arbitrary package lifecycle scripts from package metadata, creating a supply-chain and code-execution risk that is unrelated to handling wallet commands and occurs without explicit user approval.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill exposes donate and delete command paths that are not declared in the provided skill description, expanding its capabilities beyond what a user may reasonably expect. In a wallet-managing skill, undeclared fund-transfer and destructive wallet-deletion actions increase the chance of social engineering, misuse, or accidental loss.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The file implements a `donateSol` function that transfers native SOL to a hard-coded donation address, but the declared skill description only mentions managing the GCLAW token. Hidden or under-disclosed fund-transfer capability is dangerous because an agent or user may authorize operations believing they are limited to token actions, while the skill can also move SOL, which has direct monetary value on Solana.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents `gclaw recover <phrase>` without warning that the recovery phrase is an extremely sensitive secret that grants full wallet control. In agent or CLI environments, users may paste mnemonics into logs, chat transcripts, shell history, or untrusted prompts, leading to total compromise of wallet assets.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes `gclaw send` and `gclaw donate` as ordinary commands without clear warnings that they move real on-chain assets and may be irreversible. In a crypto wallet skill, understated transfer risk is especially dangerous because users or agents may execute commands assuming they are test actions, simulations, or easily reversible operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The command list includes wallet creation and token transfer operations without any warning about irreversible blockchain transactions, private key handling, fees, or loss of funds. In the context of a Solana token skill, the absence of safety messaging increases the chance of user error and unsafe automated use, especially for commands that move assets or create local wallet state.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code automatically installs dependencies with only a generic console message, so users are not meaningfully informed that shell commands and package scripts will run. Because npm install can execute arbitrary install-time scripts, this creates a significant integrity and remote code execution risk in the host environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The claim command sends the user's wallet address to a remote faucet service without an explicit disclosure at the point of action. Although a wallet address is public on-chain, transmitting it to a third party enables correlation, tracking, and behavioral profiling, which is especially relevant in a wallet-related skill.

Missing User Warnings

High
Confidence
83% confidence
Finding
deleteWallet() irreversibly destroys the encrypted wallet file and spending tracker with no built-in safeguard, confirmation token, backup step, or caller-verification mechanism. In an agent skill context that manages cryptocurrency wallets, accidental or coerced invocation can permanently remove local wallet access and cause denial of service or loss of recoverability if the user has not safely preserved the mnemonic.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal