ClawHub

Trails - pay with any token from any chain

Security checks across malware telemetry and agentic risk

Overview

This is a real Trails integration guide, but it gives an agent broad key-searching instructions and asset-moving blockchain examples without enough guardrails.

Install only if you intentionally want an AI agent helping with Trails/Web3 transaction code. Before use, restrict the agent to Trails-specific env vars, avoid exposing privileged API keys in client code, pin package versions, and manually review every generated payment, swap, bridge, calldata, or batch-settlement flow before signing or deploying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to inspect environment variables and project files for API keys and to contact external Trails endpoints, but the skill metadata declares no corresponding permissions. This mismatch is risky because it can cause undeclared access to secrets and network egress, undermining least-privilege review and making users unaware that sensitive data may be read or transmitted.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation triggers include very broad phrases such as 'cross-chain', 'swap', 'payments', and 'bridge', which are likely to match many unrelated user requests. In an agent-skill context, overbroad triggers can cause the skill to activate unexpectedly and inject third-party guidance into contexts where it was not explicitly requested, increasing the chance of inappropriate code suggestions or unreviewed external-service integration.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The installation verification section reinforces the same vague trigger phrases without defining when activation should not occur. Repetition of ambiguous triggers increases accidental invocation risk, especially in AI coding agents that may auto-load skills based on keyword matches rather than user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to place NEXT_PUBLIC_TRAILS_API_KEY in client-side environment configuration without any warning that public client variables are exposed to browsers and can be extracted by end users. If this key has meaningful privileges, it can be abused for unauthorized API usage, quota exhaustion, billing impact, or impersonation of the application's integration.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger list contains broad terms like "payment", "payments", "defi", and "intent", which can cause the skill to activate in unrelated conversations. Over-broad invocation increases the chance the agent will inappropriately steer users toward this integration flow, including asking about API keys or suggesting networked actions in contexts where the skill was not intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation provides ready-to-run examples that commit and execute cross-chain intents, which can move funds and may be irreversible once submitted, but it does not prominently warn users about transaction finality, bridge risk, wrong-address risk, or the need for explicit user confirmation. In an AI-agent integration context, omission of such warnings is more dangerous because implementers may automate the flow and expose end users to unintended fund movement.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The setup instructions tell users to place the API key in an environment variable but do not explicitly identify it as a sensitive secret or warn against logging, hardcoding, or committing it to source control. This is a documentation security weakness that can lead to credential leakage, especially in copied examples or AI-generated integrations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This documentation explicitly demonstrates arbitrary destination calldata and an approval-plus-deposit multicall pattern, but it does not give a strong, explicit warning that these calls can transfer, approve, or lock user funds if pointed at the wrong contract or constructed incorrectly. In a cross-chain context, users and integrators may treat these examples as safe defaults, increasing the chance of unsafe approvals, unlimited allowances, or execution against untrusted contracts.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
Documentation that implies transactions may 'execute automatically' without clearly warning about transactional side effects can cause integrators to implement flows that trigger signing or onchain execution without sufficient user awareness. In a cross-chain payments and bridging context, unclear execution semantics are more dangerous because users may authorize token movement, bridging, or contract calls with real financial consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation provides copy-paste examples for payments, swaps, bridging, and post-bridge contract execution without prominently warning that these actions move assets and may be irreversible. In this context, developers may embed the widget in production flows without adding user confirmations, amount/recipient verification, or disclosure about slippage, bridge risk, and finality, increasing the chance of accidental loss or misdirected funds.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The batch settlement helper performs actual value-moving operations from a treasury context and invokes signing logic automatically for each settlement entry, but there is no approval gate, authorization check, recipient validation, or explicit confirmation at the point of execution. In an agent or automation setting, untrusted or mistaken input to the settlements array could cause unintended cross-chain transfers of treasury funds to arbitrary recipients.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal