ClawHub

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This blockchain security skill is not clearly malicious, but it can let agents treat mock or heuristic results as authorization to proceed with irreversible crypto actions.

Review carefully before installing. Use this only as advisory unless you have verified it is connected to a real Sigui backend, and never let mock or local fallback ALLOW results authorize fund movement. Require explicit user confirmation before any transfer, approval, swap, bridge, mint, or contract interaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is presented as a blockchain security oracle, but when the SDK is unavailable or the default local URL is used it silently falls back to a heuristic mock evaluator and can even auto-start a local mock server. In a security-gating context, this can cause agents to trust fabricated or non-authoritative ALLOW/BLOCK/ESCALATE decisions, undermining the core control and enabling unsafe transactions to proceed.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation states that the script evaluates transactions using the Sigui Protocol and returns actionable security decisions, but the implementation may instead produce heuristic mock results. This mismatch is security-relevant because operators and downstream agents may assume oracle-backed enforcement when they are actually receiving simulated judgments.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The read_when triggers are broad enough to activate on many ordinary blockchain-related conversations, causing the skill to be selected in contexts where the user did not intend local security-evaluation tooling to run. In combination with the skill's instruction to execute code, this increases the chance of unintended invocation and over-trust in its verdicts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to execute a local script via bash or python as part of normal handling, without requiring explicit confirmation or presenting a warning to the user. This is dangerous because it normalizes code execution from skill content, potentially exposing the runtime to unintended local actions, environment usage, network access, or misleading security verdicts before the user understands what is happening.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal