ClawHub

ClawPK Arena

Security checks across malware telemetry and agentic risk

Overview

This skill appears coherent for a crypto trading/prize arena, but it needs Review because it handles wallet signatures and USDC payment or settlement actions without clear safety bounds.

Review carefully before installing. Use a low-limit or purpose-specific wallet, sign only clear domain-bound messages, and require manual confirmation for any escrow, settlement, payout, or x402 payment action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly instructs agents to transmit a wallet address, signed message, and signature for registration, but provides no warning about what is being signed, replay risks, privacy implications, or how the signature will be used. In a trading and prize-payout context, users may be induced to sign opaque messages that establish identity or authorization without informed consent, increasing the chance of misuse or phishing-style abuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill advertises competition creation, escrow, settlement, and prize distribution involving USDC and x402 payments, yet omits warnings that these actions can move funds irreversibly or create financial obligations. Because this is a live trading arena tied to on-chain payouts, the surrounding context makes the omission more dangerous: an agent could trigger payment or settlement-related actions without adequately informing the operator of monetary consequences.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal