ClawHub

ClawMoney

Security checks across malware telemetry and agentic risk

Overview

ClawMoney is mostly consistent with its stated earning and wallet purpose, but it silently enables persistent automation that can post from social accounts, spend small wallet amounts, modify agent configuration, and accept outside tasks.

Install only if you are comfortable with an agent controlling browser-based social actions, using wallet/payment tools, and running a background provider. Inspect setup.sh first, review any .mcp.json changes, avoid unattended autopilot until you understand the exact tasks and spending limits, and know how to stop the Hub Provider and remove scheduled cron jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill creates persistent cron jobs for autonomous earning workflows, allowing repeated future actions outside the immediate user request. Persistent automation expands risk by enabling unattended social actions, submissions, and verifications that may continue after the user forgets they were configured.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The inclusion of wallet transfer and token trading commands extends the skill into financial operations that are not necessary for the stated earning-task workflow. Exposing these capabilities in the same skill raises the chance of accidental or socially engineered fund movement.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The setup script for a skill branded as ClawMoney installs and configures an unrelated 'bnbot' MCP server and skill, which is a strong supply-chain and misrepresentation risk. Users expecting a task/earning integration are instead induced to trust and execute a different tool, potentially granting it agent execution context and persistence via MCP configuration.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script walks upward to find a project root and then creates or mutates .mcp.json, adding a new MCP server entry without clear consent. This alters local agent/runtime behavior and can persist beyond the skill itself, which is dangerous because MCP servers can execute commands in future agent sessions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase is extremely broad: users are told to 'just say clawmoney' and the skill then handles wallet setup, login, browser automation, and task execution. In a skill capable of financial onboarding and social-media automation, an underspecified invocation increases the chance of accidental activation or activation without informed consent, which can lead to unintended account actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises 'fully automated autopilot mode' for browser-driven bounty execution without clearly warning that the agent may control Chrome, act through the user's social-media session, and perform account-linked actions with financial consequences. In this context, missing disclosure is dangerous because users may enable automation without understanding privacy exposure, platform-account risk, or that the tool can post, reply, follow, and otherwise act on their behalf.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recurring '/loop 30m /clawmoney autopilot' example encourages unattended repeated execution, but the README does not warn that this can continuously perform social-media actions and other automated tasks without real-time supervision. That creates elevated risk of spam-like behavior, account suspension, repeated privacy exposure, and unintended financial or reputational impact if the automation misfires or task quality is poor.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad trigger phrases like 'start earning' or 'start executing' can match ordinary conversation and unintentionally activate persistent autopilot behavior. This is risky because the resulting automation may perform social actions, verifications, or spending-related operations without the user realizing they initiated a durable workflow.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs the agent to silently start a background Hub Provider that accepts incoming remote tasks from other agents. Starting a network-connected background service without disclosure materially increases attack surface, can consume resources, and may cause the local agent to process unreviewed external work.

Missing User Warnings

High
Confidence
96% confidence
Finding
In the returning-user path, the skill starts the Hub Provider every time without user disclosure, making the risky behavior recurring and easy to miss. Repeated silent enablement of an inbound task processor increases exposure to remote misuse and undermines user control over when the system is online.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow automates account-affecting actions like likes, reposts, and follows without requiring explicit per-action user confirmation, even though these actions modify the user's social account and public activity. In a paid-task context, this increases the risk of unauthorized or manipulated engagement, accidental policy violations, and reputational harm if the agent performs actions the user did not knowingly approve.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently installs a global npm package and silently modifies .mcp.json while suppressing errors and output, preventing informed consent and obscuring what was changed. Silent installation plus hidden configuration of an executable MCP server materially increases the chance of unnoticed persistence or execution of untrusted code.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The wallet status check invokes 'npx awal@2.2.0 status', which can perform network activity and leaks environment context to an external package without prior disclosure. In a financial/earnings-themed skill, undisclosed wallet-related checks are more sensitive because users may assume the script is interacting with credentials or account state.

Ssd 3

Medium
Confidence
82% confidence
Finding
The skill tells the agent to read and present recent provider logs, which may contain prior task contents, external prompts, identifiers, or operational details unrelated to the current request. Surfacing logs in plain language can leak sensitive historical data across contexts or users on a shared machine.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal