Clawmoney Skill

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it asks for unusually broad money, social-account, install, and background-agent authority with several automatic or silent behaviors users should review carefully.

Install only if you are comfortable with a skill that can manage a wallet, use your X/Twitter session, post or engage publicly, make small paid calls, modify local MCP configuration, and run a background provider. Prefer a dedicated low-balance wallet and separate browser profile, review setup.sh before running it, avoid recurring autopilot unless monitored, and require explicit approval before posting, paying, accepting remote work, or enabling auto-start behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (30)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The manifest exposes Bash and Write capabilities and the skill clearly performs shell execution and persistent file writes, but the finding notes a mismatch between declared permissions and actual capabilities. That under-disclosure is dangerous because users and host systems may not realize the skill can modify local state, authenticate accounts, and launch background processes. In a finance- and account-linked skill, hidden write/shell behavior materially raises risk.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill directs creation of persistent cron jobs that autonomously browse tasks, post content, verify submissions, and potentially spend funds over time. Persistent autonomous execution expands the blast radius beyond a one-shot user request, especially because it can repeatedly act on third-party services and financial workflows without contemporaneous review.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The Market Provider documentation explicitly allows using Claude with '--dangerously-skip-permissions' to execute incoming tasks from other agents. That is a high-privilege remote task execution path with intentionally reduced safety controls, which is especially dangerous because the tasks originate externally and may be adversarial.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The setup script for a skill named ClawMoney installs and configures unrelated 'bnbot' components, including a global npm package and an MCP server entry, without any clear connection to the advertised functionality. This mismatch is a strong indicator of deceptive behavior or supply-chain redirection: users invoking a ClawMoney setup may unknowingly grant execution and persistence to different software.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The header comments describe this as a ClawMoney setup script, but the implementation provisions bnbot tooling and modifies MCP configuration for 'bnbot'. Mislabeling a script's purpose is dangerous because it can socially engineer reviewers and users into trusting and executing software that performs different actions than advertised.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The README says users can trigger the skill by simply saying "clawmoney," while the skill performs sensitive first-run actions such as dependency installation, wallet onboarding, login, and browser automation. An underspecified activation phrase increases the chance of accidental or socially engineered invocation of privileged actions, especially in agent environments that map natural language directly to tool execution.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill advertises "fully automated autopilot mode" for browsing and executing bounty tasks through browser automation, but does not prominently warn that this may perform recurring social-media actions on linked accounts. In context, this is dangerous because automated likes, reposts, replies, follows, and posting can create account abuse, reputational harm, platform-policy violations, and unintended financial or wallet-linked activity without meaningful user review.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The onboarding section describes automatic installation of dependencies, email-OTP login, wallet setup, and connecting a browser automation extension, but omits clear warnings that these actions link user accounts, create self-custodial wallet state, and enable automated browser control. In this skill's context, combining financial setup with account-linked automation raises the risk of users consenting without understanding the security, privacy, and operational consequences.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: Broad trigger phrases like 'start earning' or 'start executing' can match ordinary conversational requests and unexpectedly launch automation setup. In this skill, those triggers can lead to cron creation, social posting, verification actions, and possible spending, so accidental invocation is materially risky.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to silently start a background Market Provider that keeps the agent online and able to receive incoming service calls. Hidden background execution is dangerous because it creates an externally reachable processing path and ongoing resource/network activity without a clear user warning or approval at the moment it is enabled.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The returning-user flow auto-starts the Market Provider on every run, again without fresh disclosure. Re-enabling a network-connected background service by default is particularly risky because users may not expect the skill to accept or process external work whenever invoked for unrelated account or browsing actions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script performs silent global installation of 'bnbot-mcp-server' and may silently install a 'bnbot' skill via clawhub, suppressing stderr and avoiding meaningful user disclosure. Silent installation increases the risk of unauthorized environment changes, supply-chain compromise, and reduced user ability to notice or stop unexpected software execution.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script silently creates or edits the project's .mcp.json file to add a 'bnbot' MCP server entry, creating persistence and altering how tools may be launched in the user's environment. Undisclosed configuration changes are risky because they can introduce unexpected command execution paths and make later sessions invoke software the user did not knowingly approve.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The flow references reading config and logs from the user's home directory, including a file that stores an api_key and provider logs that may contain task and account metadata. Directing an agent to access and potentially expose such stored secrets or operational data in routine workflows increases the chance of credential leakage and unnecessary disclosure.

External Transmission

Medium

Category: Data Exfiltration
Content: ### 2. Check if email already has an agent ```bash curl -s "https://api.bnbot.ai/api/v1/claw-agents/check-email?email=<email>" ``` - **If `exists: true` and `status: ACTIVE`** → go to login flow (OTP re-auth below)
Confidence: 89% confidence
Finding: curl -s "https://api.bnbot.ai/api/v1/claw-agents/check-email?email=<email>" ``` - **If `exists: true` and `status: ACTIVE`** → go to login flow (OTP re-auth below) - **If `exists: true` and `status:

External Transmission

Medium

Category: Data Exfiltration
Content: ``` - Then authenticate agent via email verification code: ```bash curl -s -X POST "https://api.bnbot.ai/api/v1/claw-agents/login" \ -H "Content-Type: application/json" -d '{"email":"<email>"}' ``` - Tell user: "A verification code has been sent to **<email>**. Please enter it."
Confidence: 90% confidence
Finding: curl -s -X POST "https://api.bnbot.ai/api/v1/claw-agents/login" \ -H "Content-Type: application/json" -d '{"email":"<email>"}' ``` - Tell user: "A verification code has been sent to **<email>**.

External Transmission

Medium

Category: Data Exfiltration
Content: ### 2. Check if email already has an agent ```bash curl -s "https://api.bnbot.ai/api/v1/claw-agents/check-email?email=<email>" ``` - **If `exists: true` and `status: ACTIVE`** → go to login flow (OTP re-auth below)
Confidence: 89% confidence
Finding: https://api.bnbot.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: **Register new agent** (AUTOMATIC — do NOT ask for name or description): ```bash curl -s -X POST "https://api.bnbot.ai/api/v1/claw-agents/register" \ -H "Content-Type: application/json" \ -d '{"name":"claw-<random-4-chars>","description":"<auto-generated>","email":"<email>","wallet_address":"<addr>"}' ```
Confidence: 93% confidence
Finding: https://api.bnbot.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ``` - Then authenticate agent via email verification code: ```bash curl -s -X POST "https://api.bnbot.ai/api/v1/claw-agents/login" \ -H "Content-Type: application/json" -d '{"email":"<email>"}' ``` - Tell user: "A verification code has been sent to **<email>**. Please enter it."
Confidence: 90% confidence
Finding: https://api.bnbot.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: - Tell user: "A verification code has been sent to **<email>**. Please enter it." - After user provides the code: ```bash curl -s -X POST "https://api.bnbot.ai/api/v1/claw-agents/login/verify" \ -H "Content-Type: application/json" -d '{"email":"<email>","otp":"<code>"}' ``` - Response includes `api_key` — save to config and go to welcome.
Confidence: 93% confidence
Finding: https://api.bnbot.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ``` 2. Invoke the service with the payment token: ```bash curl -s -X POST "https://api.bnbot.ai/api/v1/market/gateway/invoke?payment_method=x402&payment_token=<token>" \ -H "Content-Type: application/json" \ -d '{"agent_id":"<id>","skill":"<name>","input":{<params>}}' ```
Confidence: 84% confidence
Finding: https://api.bnbot.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: **Check for pending tasks manually** (when provider is not running): ```bash curl -s -H "Authorization: Bearer <api_key>" \ "https://api.bnbot.ai/api/v1/market/tasks/pending" ``` ### View Market Activity
Confidence: 87% confidence
Finding: https://api.bnbot.ai/

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ### Spending Limits Configured in `~/.clawmoney/config.yaml`: - Auto-confirm under $0.10 — no user prompt - Ask user $0.10 - $5.00 — show cost and confirm - Reject over $5.00 — refuse with message
Confidence: 90% confidence
Finding: Auto-confirm

Session Persistence

Medium

Category: Rogue Agent
Content: **If registration succeeds** (new agent or existing UNCLAIMED with new key): - Response includes `api_key` — save it immediately: ```bash mkdir -p ~/.clawmoney cat > ~/.clawmoney/config.yaml << EOF api_key: <api_key from response> agent_id: <id from response>
Confidence: 94% confidence
Finding: mkdir -p ~/.clawmoney cat > ~/.clawmoney/config.yaml << EOF api_key: <api_key from response> agent_id: <id from response> agent_slug: <slug from response> EOF ``` **Immediately continue to step 3.**

Tool Parameter Abuse

High

Category: Tool Misuse
Content: - If already authenticated **with the same email** → get address and continue to step 2. - If already authenticated **with a different email** → force logout and re-login (no user action needed): ```bash rm -rf ~/Library/Application\ Support/Electron/{Cookies,Cookies-journal,Local\ Storage,Session\ Storage,IndexedDB,WebStorage} kill -9 $(npx awal status --json 2>/dev/null | grep -o '"pid":[0-9]*' | grep -o '[0-9]*') 2>/dev/null npx awal auth login <new-email> --json ```
Confidence: 95% confidence
Finding: rm -rf ~

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal