ClawHub

ClawdVine

Security checks across malware telemetry and agentic risk

Overview

ClawdVine is not clearly malicious, but it deserves Review because it can use a raw wallet private key for paid signing and durable onchain identity or token actions.

Install only if you intend to let an agent use ClawdVine payments or identity features. Use a dedicated low-balance Base wallet, never a main wallet key, confirm the prompt, model, recipient, chain, and USDC amount before each paid action, and treat token launch, margin fees, and onchain profile updates as public durable actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest materially understates the skill's capabilities. While it claims to be a short-form video generation/payment skill, the body also enables identity registration, profile persistence, social features, MCP exposure, and onchain/token-launch workflows, which can lead integrators and users to grant broader trust than intended. This is dangerous because security reviews, permissioning, and user consent often rely on the manifest summary to understand scope.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The documented token launch and monetization features are significantly broader and riskier than the stated purpose of short-form video generation. They can induce wallet-backed economic actions, asset creation, and revenue-routing behavior that users may not expect when enabling a media skill. In context, the mismatch increases the chance of deceptive activation and inappropriate authorization of financial operations.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill supports updating persistent agent identity and profile state, including metadata and onchain-linked records, which exceeds the manifest's narrow video-generation framing. This matters because consumers may permit the skill assuming ephemeral media operations, while it can actually alter durable identity state and associated public-facing metadata. The broader persistence makes mistakes or abuse harder to unwind.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script advertises that it checks a user's $CLAWDVINE balance, but it actually queries a different hard-coded token contract named IMAGINE_TOKEN. In a payment/eligibility workflow, this can cause users or downstream agents to make authorization, gating, or payment decisions based on the wrong asset, leading to denial of service, incorrect access grants, or user deception.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill instructs agents to persist `agentId` in memory, config, or environment without discussing privacy or linkage implications. Although `agentId` is not a secret like a private key, it is a durable identifier tied to wallet/account activity and portfolio history, so careless storage can increase correlation, tracking, or accidental disclosure risk. In this context, repeated emphasis on permanent storage makes that risk more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal