Back to skill

Security audit

ClawdVine

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed ClawdVine video, wallet-payment, and agent-network integration, but users should treat its wallet and onchain features carefully.

Install only if you intend to use ClawdVine with wallet-signed payments or agent identity features. Use a dedicated low-balance wallet, review the exact cost, receiver, chain, prompt, token-launch settings, and margin-fee changes before approving, and do not store your wallet private key in persistent agent memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest markets the skill as simple video generation with payment, but the body documents substantially broader capabilities including identity registration, profile management, feedback, search, style training, and token-related features. This mismatch can mislead operators and downstream policy engines about the skill's true authority and data flows, increasing the chance that sensitive or irreversible actions are enabled without proper review.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Token launch is a high-risk financial/onchain capability that is not justified by a skill presented as short-form video generation. Enabling token deployment from a media-generation skill expands the blast radius from content creation into asset issuance and potentially irreversible blockchain actions, creating material risk of accidental or unauthorized launches.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Onchain identity minting and agent registration are materially broader than the manifest's stated video/payment purpose. These features involve persistent identity creation, external posting/verification, and blockchain-linked state changes, so under-disclosing them weakens informed consent and can bypass risk classification based on metadata alone.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script documentation and user-facing output say it checks a $CLAWDVINE token balance, but the code uses a constant named IMAGINE_TOKEN and queries that contract address instead. This can mislead users into making eligibility or payment decisions based on the wrong asset, which is especially risky in a crypto/payment skill where token identity determines value and access.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"build:tar": "node scripts/build-tar.mjs"
  },
  "dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
Confidence
88% confidence
Finding
"@x402/evm": "^2.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
Confidence
88% confidence
Finding
"@x402/fetch": "^2.2.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
  "repository": {
Confidence
90% confidence
Finding
"siwe": "^2.3.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@x402/evm": "^2.2.0",
    "@x402/fetch": "^2.2.0",
    "siwe": "^2.3.2",
    "viem": "^2.45.1"
  },
  "repository": {
    "type": "git",
Confidence
87% confidence
Finding
"viem": "^2.45.1"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.prompt_injection_instructions

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/check-balance.mjs:22

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/x402-generate.mjs:29

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
SKILL.md:1565