ClawHub

Write Contracts

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Aptos Move contract-writing skill with some code-quality risks, but no hidden execution, credential access, persistence, or deceptive behavior was found.

Use this as drafting assistance only. Confirm that the task is actually Aptos Move, compare generated patterns against current Aptos documentation, fix the noted NFT ownership and percentage-overflow issues before reuse, run CLI publish/run commands only on the intended profile and network, and get an independent audit before deploying contracts that manage real assets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The example documents a nested-ownership model where NFTs are owned by the collection, but the `transfer_nft` entry function checks that the caller directly owns the NFT object. In practice this mismatch can make transfers fail or mislead developers into implementing incorrect authorization logic in production contracts, causing broken asset movement or unsafe modifications when they attempt to reconcile the inconsistency.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The example is presented as a safe arithmetic pattern, but `(amount * percentage_bp) / BASIS_POINTS_DIVISOR` performs unchecked multiplication first. In Move, large `amount` values can cause the intermediate multiplication to overflow and abort, making the guidance unsafe for developers who copy it into financial logic such as fee, reward, or royalty calculations.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases are very broad and match common software-development requests such as writing contracts, minting, marketplaces, staking, and DAOs. This can cause the skill to activate in situations it was not specifically intended for, increasing the chance that its strong prescriptive guidance overrides safer context-specific reasoning or is applied to unrelated tasks.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This percentage example contains an unchecked multiply in security guidance, which can overflow before the division reduces the value. Because the skill is explicitly for generating 'secure' Aptos Move contracts, unsafe reference material is more dangerous: users may treat it as vetted secure code and reproduce denial-of-service or faulty financial calculations in production modules.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger examples are broad, generic words like "store," "track," "mapping," and "collection," which can cause the skill to activate in many unrelated conversations. Over-broad activation increases the chance the agent injects contract-specific guidance into contexts where it was not intended, which can confuse users, derail workflows, or cause unsafe code-generation assistance to appear without sufficient context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal