ClawHub

sequence-cli

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned for Sequence wallet management, but it gives an agent real token-transfer and private-key authority without enough explicit safety controls.

Install only if you intend the agent to manage a Sequence wallet. Use testnets or minimal funds first, avoid passing private keys directly in chat or command lines when possible, protect ~/.sequence-builder/config.json and SEQUENCE_PASSPHRASE, and require explicit human confirmation of recipient, token contract, amount, and chain before any transfer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill provides step-by-step instructions to execute ERC20 transfers but does not include explicit warnings that transfers are irreversible, financially risky, and should only be sent after independently verifying token, recipient, amount, and chain. In an AI-agent context, omission of these safeguards increases the chance of user loss from misaddressed transfers, wrong-chain sends, or prompt-induced actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation instructs use of raw private keys on the command line without warning that shell history, process listings, logs, and terminal transcripts may expose the secret. In an agent or automated environment, this can directly compromise the wallet and enable total theft of assets and unauthorized project access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal