Back to skill

Security audit

MuHaven RWA Portfolio

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate MuHaven financial skill, but it needs Review because its security boundaries are weaker and less consistent than the user-facing claims suggest.

Install only if you trust MuHaven and understand that this is wallet-adjacent software with a persistent authenticated broker. Prefer read-only mode unless you need buy/claim/pause workflows, verify that your OpenClaw runtime actually enforces sandbox permissions, and avoid relying on the advertised OS-keychain and hash-pinning protections unless you confirm they are active in your environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The top-level description emphasizes portfolio reads and staged buys/claims, but the exposed tool subset also includes pause, audit, protection coverage, KYC attestation, and session key status capabilities that are not clearly surfaced in the primary description. Underspecified capabilities can mislead users and reviewers about the true operational scope, increasing the risk of unsafe invocation or over-trust in an agent handling financial actions.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The bundled code defines issuer, governance, and KYC administration tools that materially exceed the investor-only portfolio functionality described in the skill metadata. Even if some surfaces later filter these tools, shipping the privileged handlers in the same skill increases the blast radius if a generic runner, alternate entrypoint, or future integration exposes the full registry.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The code bundles powerful administrative actions such as distribute_yield, kyc_add/remove, unpause_token, and governance voting/proposals, which are unnecessary for an investor portfolio assistant. In a skill context, overbroad capability exposure is dangerous because authorization mistakes, entrypoint drift, or host misuse can turn dormant admin functionality into reachable attack surface.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comments state the OpenClaw skill will not advertise issuer/governance tools, but the module also exposes a generic MCP runner (`runMcpStdioCli`) capable of serving the full registry. That mismatch creates a real risk that consumers invoke the generic runner or another entrypoint and unintentionally expose privileged tools that the skill description says are absent.

Credential Access

High
Category
Privilege Escalation
Content
**optional dependency** for platform-specific OS-keychain native bindings
(Windows DPAPI, macOS Security framework, Linux Secret Service over
D-Bus). The skill's inline bundle does **NOT** include the native
keyring — bundling one platform's binary into a cross-platform tarball
would be a net regression.

**Practical effect:** the bundled `@muhaven/mcp`'s keystore falls back
Confidence
83% confidence
Finding
keyring

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/index.cjs:2966

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
dist/index.js:2955