ClawHub

easyclaw

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can use a Solana wallet and API token to place real or automated trades and manage EasyClaw agents, so it needs careful review before installing.

Install only if you intentionally want an EasyClaw trading and agent-management tool. Use a dedicated low-balance or devnet wallet, avoid reusing your main Solana keypair, keep API tokens scoped and revocable, start with dry-run, set max order and cooldown limits, and review every backend or autotrade command before allowing live execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises and operationalizes access to sensitive environment variables, wallet paths, network endpoints, WebSocket connections, and authenticated API tokens, yet the finding indicates those capabilities are not formally declared as permissions. This creates a transparency and governance gap: an agent or reviewer may underestimate the skill's ability to access credentials and communicate externally, increasing the risk of unintended secret exposure or unauthorized network actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose frames the skill as a self-contained user DEX utility for balances and order submission, but the described behavior extends into automated trading, arbitrary WebSocket monitoring, backend agent lifecycle management, strategy creation/publishing, auth/session flows, and local persistence of wallet and strategy data. This mismatch is dangerous because it obscures materially higher-risk capabilities, making it easier for an agent or operator to invoke actions with financial, credential, or operational consequences without informed consent.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The interface description materially broadens the skill beyond its stated purpose of user-facing DEX actions into backend market/history access and agent or strategy session management. That scope expansion is dangerous because agents may invoke privileged or operational capabilities the user did not intend, increasing the chance of unauthorized actions or data exposure through prompt-based tool selection.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Including authenticated agent/strategy/risk/kill-switch controls in a skill described as user-facing DEX actions creates a privilege mismatch and exposes highly sensitive operational functions through a broadly-invoked interface. If selected by an agent in the wrong context, these controls could alter trading safeguards, terminate strategies, or manipulate account operations without sufficiently explicit user intent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The reference expands the skill from simple user-facing DEX order submission and balance checks into backend administration, strategy/session management, kill-switch controls, websocket monitoring, autotrading, and onboarding. This scope drift is dangerous because agents may invoke powerful actions not disclosed in the skill metadata, including authenticated management endpoints and autonomous trading flows, increasing the chance of unauthorized trades, account changes, or operational misuse.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The autotrade and onboard commands enable autonomous trading and a guided setup flow that collects wallet details, stores strategy prompts, and launches live execution. In the context of a skill advertised for manual user-facing DEX actions, these features materially increase risk by allowing the agent to transition from assisting a user to initiating or automating financial activity with persistent behavior.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The exposed command surface materially exceeds the declared skill purpose. A skill presented as limited to user-facing DEX order and balance actions also advertises agent administration, strategy lifecycle, session control, owner rebinding, auth flows, and kill-switch operations, which creates a dangerous trust mismatch and can cause an agent or operator to authorize far broader actions than intended.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
These code paths enable creation and modification of agents and strategies, session start/stop, risk changes, publishing, and kill-switch actions—privileged administrative operations unrelated to the stated balance/order helper role. In an agent-skill setting, hidden or under-declared write capabilities are dangerous because they expand what the agent can do with user credentials or tokens beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The presence of authentication challenge, signature verification, token refresh, and owner rebinding flows broadens the skill into account/auth management rather than simple DEX interaction. Such flows can facilitate account takeover-adjacent actions or misuse of session material if an agent is permitted to invoke them without the user understanding that the skill handles identity and binding operations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The wrapper exposes backend, watch, autotrade, and onboard commands even though the stated skill purpose is limited to submitting user orders and checking balances. This scope expansion increases the attack surface and may let an agent invoke higher-risk capabilities such as autonomous trading, onboarding flows, or arbitrary backend interactions that users and policy layers would not expect from the manifest description.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The onboarding flow does more than collect user-facing order parameters: after saving configuration it launches a realtime trading agent that can continue placing orders autonomously. In the context of a skill advertised for submitting user orders or checking balances, this materially expands authority and creates risk of unintended or repeated trades with real funds.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script enumerates wallet paths from CLI arguments, environment variables, default home-directory locations, and the Solana CLI config, then parses whichever keypair files are readable. This broad local credential discovery exceeds the minimal permissions implied by the skill description and increases exposure of sensitive wallet material and the chance of operating on an unintended wallet.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
The script persists wallet path selections into the skill-local .env file and later stores strategy metadata including wallet_path on disk. Retaining credential-location metadata is not necessary for a narrow DEX action skill and can leak sensitive filesystem details or make later unintended reuse of the wallet more likely.

Known Vulnerable Dependency: ws==8.18.3 — 1 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure)

Low
Category
Supply Chain
Confidence
96% confidence
Finding
ws==8.18.3

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal