ClawHub

Arbitrum Dapp Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Arbitrum development guide, but users should review the installer and treat deployment examples as real-money blockchain operations.

Prefer installing through ClawHub or by cloning and reviewing the repo instead of running the remote bash one-liner. Set ARBITRUM_SKILL_NO_ANALYTICS=1 before install.sh if you do not want the install-count ping. Use separate low-balance deployer wallets, keep private keys out of shell history when possible, and double-check the network before any mainnet or --broadcast command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill content includes shell commands and operational steps, but the metadata shown here does not declare corresponding permissions. Undeclared execution capability is risky because an agent or user may run repository-cloning or deployment-related commands without an explicit trust boundary, increasing the chance of unintended local system changes or external network access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The reported behavior goes beyond the declared purpose of providing an Arbitrum development guide: cloning/updating a GitHub repository into the local skills directory and sending telemetry to GoatCounter are materially different actions. Hidden install-time modification of local files plus undisclosed outbound telemetry violates user expectations and can expose environment metadata or create a supply-chain risk if remote content is fetched automatically.

Context-Inappropriate Capability

Low
Confidence
85% confidence
Finding
The page loads third-party analytics and Google Fonts from external domains, which introduces unnecessary network beacons and a supply-chain/privacy dependency unrelated to the core skill documentation. While not directly leading to code execution in the skill, it exposes users viewing local or hosted docs to third-party requests and makes the documentation less self-contained.

Description-Behavior Mismatch

Low
Confidence
93% confidence
Finding
The installer performs network telemetry unrelated to its core installation function by sending an install event to GoatCounter. Although the script documents the behavior and claims to send only a minimal pageview, it still creates an unexpected outbound data flow during installation and expands the trust boundary to a third-party service.

Context-Inappropriate Capability

Low
Confidence
95% confidence
Finding
The installer contains telemetry capability that is not necessary to clone or update the skill, so it introduces extra behavior beyond the stated purpose of an Arbitrum dApp development guide. Even though the payload is limited, unsolicited telemetry in install scripts is a security and trust concern because it normalizes hidden or non-essential outbound communication.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README instructs users to execute a remotely fetched script directly with `bash`, which bypasses review of the downloaded content and creates a supply-chain execution risk. If the GitHub account, repository, branch, or network path is compromised, users could run arbitrary code on their machine immediately.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation promotes `bash <(curl ...)`, which executes shell code fetched at runtime directly from the network without any integrity check or review step. In the context of an agent skill, this is especially risky because users may copy-paste it verbatim, allowing repository compromise, MITM, or malicious script changes to write arbitrary files into the local skill directory or run arbitrary commands.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The mainnet Stylus deployment example directly shows a command that will submit a real transaction using the supplied private key, but it does not prominently warn the reader that this is a live mainnet action with irreversible effects and real funds at risk. In a deployment guide for dApp developers, that omission can lead to accidental production deployment, unintended gas spend, or use of the wrong key/network by inexperienced users.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Forge mainnet example includes `--broadcast` with a real RPC URL and private key, which causes actual on-chain execution, but the documentation does not clearly warn that this is irreversible and incurs real gas costs. Because this skill is specifically a deployment reference for Arbitrum dApp builders, users are likely to copy-paste commands, making the missing warning more operationally dangerous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document shows how to invoke `writeContract` and send on-chain transactions but does not warn that these actions prompt wallet approval, consume gas, and can permanently change blockchain state. In a frontend integration guide, readers may copy these patterns directly into UI flows without adding user confirmation, cost disclosure, or safeguards, increasing the risk of accidental or misleading transaction initiation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file publishes a private key and immediately demonstrates using it to send transactions, but does not clearly warn that this key is public, test-only, and unsafe outside the local devnode. In a blockchain developer guide, readers often copy commands verbatim; without strong caveats, they may reuse the key pattern, import the key into real wallets, or mistakenly point tooling at non-local RPC endpoints, leading to loss of funds or compromised accounts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The deployment examples instruct users to pass a raw private key directly on the command line without any warning about credential sensitivity. Command-line secrets can be exposed through shell history, process listings, terminal logging, CI logs, or screen sharing, making accidental key compromise more likely and potentially allowing unauthorized contract deployments or theft of funds from the associated account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation includes commands that embed a raw private key directly on the command line, which normalizes unsafe key-handling practices and can lead to credential leakage through shell history, process listings, screenshots, logs, or copy-paste reuse in non-local environments. In a blockchain deployment/testing guide, this is especially risky because users may reuse the example pattern with funded keys or against non-local networks, resulting in wallet compromise and unauthorized transactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal