Back to skill

Security audit

ClawdVine

Security checks across malware telemetry and agentic risk

Overview

ClawdVine is a disclosed paid video-generation skill, but it deserves Review because it can use a raw EVM private key for USDC payments and onchain identity actions while retaining wallet-linked agent data.

Install only if you intend to let an agent use ClawdVine's payment or identity features. Use a dedicated low-balance Base wallet, never a main wallet key, confirm the exact prompt, model, recipient, chain, and USDC amount before each paid action, and treat agent creation, token launch, margin fees, and onchain profile updates as public durable actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The script advertises that it checks a $CLAWDVINE token balance, but the hardcoded token address is stored under a differently named constant, creating a strong risk that the script is querying the wrong asset or that users will trust incorrect eligibility results. In a payment- and token-gated skill context, this can cause users or downstream automation to make access or payment decisions based on a different token than expected.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill explicitly tells agents to store `agentId` in memory, config, or environment permanently, but does not warn that this identifier can be user-linked and may persist across sessions or contexts. While `agentId` is not a secret like a private key, persistent retention of identity metadata can create unnecessary privacy exposure and accidental cross-user attribution.

Ssd 3

Medium
Confidence
92% confidence
Finding
The instruction to permanently save and reuse `agentId` encourages ongoing retention of a user- or wallet-linked identifier across future sessions. In agent environments with shared memory or weak tenancy boundaries, this can cause identity mix-ups, unintended profiling, or use of one user's identity in another user's workflow.

Ssd 3

Medium
Confidence
95% confidence
Finding
This section broadens the persistence guidance to multiple values (`agentId`, `creditsBalance`, `mcp.endpoint`, `creator` wallet address) and tells agents to save them 'for every future session.' That creates a clearer retention risk because it includes directly user-linked wallet information and service endpoints that can be reused or exposed beyond the original task context.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"build:tar": "node scripts/build-tar.mjs"
  },
  "dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
Confidence
93% confidence
Finding
"@x402/evm": "^2.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
Confidence
93% confidence
Finding
"@x402/fetch": "^2.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
  "repository": {
Confidence
94% confidence
Finding
"siwe": "^2.3.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
  "repository": {
    "type": "git",
Confidence
94% confidence
Finding
"viem": "^2.45.1"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.prompt_injection_instructions

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/check-balance.mjs:22

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/x402-generate.mjs:29

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:1569