ClawHub

Claws Temple Bounty 2.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a branded bounty helper, but it can install dependencies and drive account, token-approval, DAO-vote, and public-platform actions with inadequate user-facing disclosure.

Review carefully before installing. Use it only if you understand it may modify local Codex skills, ask for a CA keystore password, and perform real token approval and DAO voting actions. Do not paste passwords or secrets into ordinary chat unless the host provides a trusted secure secret prompt, and do not share wallet/account details, tokens, private repo links, or logs in Telegram or X.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to read multiple local files and, when dependencies are missing, to run a shell helper script and perform install or upgrade actions. Those are material capabilities, yet no explicit permission declaration is present, which weakens host-side consent and makes it easier for a user invoking a branded workflow to trigger filesystem access or command execution they did not expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared description presents an end-user bounty orchestration workflow, but the instructions also authorize repository validation, dependency installation/upgrades, remote endpoint probing, and release-gate style maintenance actions. This mismatch is dangerous because it can conceal operationally sensitive behavior behind a benign social/productivity description, undermining informed consent and increasing the chance of hidden code-fetching or shell activity.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This configuration clearly enables on-chain token approval and DAO voting through named approve/vote tools, network identifiers, payload mappings, and send-mode execution, yet the skill description frames the workflow as a branded five-task social journey. That mismatch can materially impair informed user consent and cause users to authorize token spending or cast governance votes without understanding they are performing blockchain actions.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
The config includes a Telegram invite URL and templated success messages unrelated to the minimally necessary mechanics of casting a DAO vote. This creates an unnecessary off-platform redirection channel that can be used for tracking, social engineering, or continued manipulation after the user completes a sensitive on-chain workflow.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The line 'Use this flow for Task 2 or any partner-finding request' expands the skill beyond the manifest's branded Claws Temple-only scope. That can cause the agent to invoke this branded workflow in unrelated contexts, creating policy drift, confusing users, and increasing the chance of inappropriate dependency actions or data collection outside the intended workflow.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The inline instruction contradicts the metadata restriction that says the skill should not be used for generic partner-matching requests outside the brand context. Contradictory routing guidance is dangerous because runtime selection may follow the broader instruction, causing unauthorized or unintended activation of this skill path.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The flow expands Task 4 from a branded bounty-routing step into a general gateway for multiple SHIT Skills platform operations. That broader action surface can cause the agent to perform platform actions outside the user’s expected bounty task scope, increasing the risk of unintended or unauthorized operations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Supporting edit, delete, and parsing repo content introduces destructive and sensitive operations that are not clearly necessary for the stated Task 4 purpose. If triggered loosely or without strong confirmation gates, the agent could modify or remove content or process repository data in ways the user did not intend.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file explicitly says, "Use this flow for generic bounty questions," which broadens the skill beyond the manifest's strict brand-specific scope. In an agent system, this kind of scope drift can cause the wrong skill to activate for unrelated requests, leading to misrouting, policy bypass, and unintended branded guidance in contexts where it should not apply.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented behavior expands routing from a narrowly branded workflow into generic bounty handling, which changes the skill's effective authority and applicability. This increases the chance that the agent will inappropriately steer users into this branded five-task path, producing incorrect task routing and contaminating unrelated conversations with workflow-specific instructions.

Vague Triggers

Low
Confidence
69% confidence
Finding
This file supports a proposal-voting workflow with hard-coded DAO, proposal, and transaction parameters, but the surrounding description does not provide strong invocation constraints for when the skill may run. In an agent setting, weak triggering rules increase the chance of accidental or contextually inappropriate execution of approval and voting actions, especially when the branding obscures the transactional nature of the workflow.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The file explicitly instructs use of this content only when `output_language = en`, which can override or constrain the user's language preference if the surrounding system does not enforce consent-based language selection. In a branded workflow, this is not a code execution risk, but it can still cause policy and UX issues by forcing English output without clear user opt-in.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example instructs users to share their current step, error, and key context on Telegram and X, which can lead to disclosure of sensitive operational details, account identifiers, internal workflow state, or other private data on public or third-party platforms. In a troubleshooting flow, users are especially likely to overshare, and the absence of any privacy warning, redaction guidance, or safer support channel increases the likelihood of accidental exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells the user that account-related and matching-preparation actions will be 'automatically advanced' and that the agent will handle identity entry, login recovery, user ID resolution, and later matching steps, but it does not clearly warn that these are system-affecting operations. That can mislead users into consenting to authentication-state changes or workflow actions they did not explicitly approve, especially in an agentic context where automation may trigger real account or queue operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file states that if the `resonance-contract` version is too low or missing, the agent will help install or upgrade it first, without an explicit safety warning or consent gate. Automatic dependency installation or upgrade is risky because it can modify the host environment, pull code from a repository or overrideable source, and expand the attack surface if the source or version is untrusted.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the user to provide a CA keystore password, which is a highly sensitive secret, yet it gives no safety guidance, secure collection mechanism, or warning against sharing it in plain chat. In an agent workflow, this is especially dangerous because users may paste credentials directly into an untrusted conversational channel, enabling credential theft, wallet compromise, unauthorized signing, or downstream account takeover.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly states that checks, authorization, submission, and confirmation will be completed automatically, but it does not present an upfront, clear warning that these are state-changing blockchain actions. In this context, the actions include token approval and voting/record submission through a CA path, so a user could unknowingly authorize irreversible on-chain operations or grant allowances without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example instructs users to share their current step, error, and key context in public channels, but provides no warning to avoid including secrets, personal data, wallet details, access tokens, private repository links, or other sensitive troubleshooting material. In a workflow involving account registration, sign-in, and GitHub publishing, users are especially likely to disclose credentials or internal project information when seeking help, making this a real privacy and security exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The text tells users to post their current steps, errors, and key information in public channels without any warning to redact secrets or personal data first. In a workflow involving accounts, login state, and repository details, users may inadvertently disclose email addresses, OTP-related screenshots, access tokens, private repo URLs, or other sensitive operational details.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger condition is broad enough that the skill may activate for loosely related 'six-axis, coordinate, or hexagon' requests rather than only the branded Claws Temple workflow. That can cause incorrect skill selection, unexpected dependency execution, and unintended exposure of branded or workflow-specific behavior in contexts where the user did not ask for it.

Natural-Language Policy Violations

Medium
Confidence
76% confidence
Finding
Hard-coded language and terminology mappings force output transformations without confirming the user's language or presentation preference. While not directly enabling code execution, this can override user intent, create misleading or culturally incorrect output, and weaken trust boundaries by making the agent follow hidden template rules over explicit user preference.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger scope is overly broad because 'any partner-finding request' lacks constraints and exclusions. In skill-routing systems, ambiguous scope can misfire into unrelated requests, leading the agent to push a branded onboarding and dependency flow where it is not appropriate.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
Mandating specific Chinese-branded phrasing without language preference handling can coerce users into a branded script they may not understand. While not a direct code-execution issue, it is a genuine safety and UX vulnerability because it reduces informed consent and increases the chance users approve identity or matching steps without clear comprehension.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The required visible output hard-codes multiple Chinese phrases and branded wording without any preference or accessibility check. In this context, the risk is misunderstanding during identity setup, sign-in recovery, and user-ID confirmation, which can undermine informed user participation even if the backend flow is legitimate.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase 'Task 3 or any faction belonging request' is broader than the branded scope described in the skill metadata, so the flow may activate for unrelated 'faction' requests and initiate a high-impact on-chain oath/voting sequence in the wrong context. In this skill, that over-breadth is more dangerous than usual because the flow includes credential prompts, dependency self-heal behavior, token checks, and real CA-routed write operations.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal