ClawHub

Citrea Claw Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Citrea monitoring CLI with read-only blockchain queries and optional Telegram alerts, with no evidence of hidden theft, destructive behavior, or on-chain mutation.

Install only if you want an agent-run Citrea monitoring CLI. Use a dedicated Telegram bot token, keep the .env file private, avoid committing it, and only run PM2 or monitor commands if you want continuous background alerts sent to the configured Telegram chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares required binaries and environment variables but does not clearly declare or constrain the effective capabilities it asks the agent to use: shell execution, network access, and access to locally stored secrets. That gap matters because the markdown explicitly instructs the agent to execute commands and use networked blockchain/RPC and Telegram functionality, reducing transparency and making risky actions easier to trigger without explicit user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior extends beyond passive monitoring into transaction-history lookups and Telegram notification flows, including persistent alerting and mention of a separate Telegram test capability. This mismatch is dangerous because users may authorize a seemingly read-only market-monitoring skill without realizing it can store messaging credentials and initiate outbound communications.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The CLI exposes a transaction-history command (`txns`) that is not reflected in the declared skill capability set. This creates a transparency and review gap: users, orchestrators, or security tooling may underestimate what the skill can do, which weakens informed consent and can bypass policy decisions based on the manifest rather than the code.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file imports and later uses Telegram messaging even though the skill is described as a monitoring/query tool. That creates an external data egress path and expands the skill's behavior beyond passive observation, which can surprise users and leak operational information to third parties.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The live monitoring routine does more than monitor: it automatically sends arbitrage results to Telegram when thresholds are met. In an agent skill, unsolicited outbound transmission is risky because it can exfiltrate trading signals, asset interests, and timing data without clear user awareness or approval.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The Telegram send path is not clearly justified by the stated purpose of executing monitoring commands, so users may not expect network egress to a messaging service. This mismatch increases the security risk because a seemingly read-only monitoring skill can covertly publish sensitive observations externally.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The pool-monitoring command performs an additional outbound action by sending Telegram notifications for every detected pool, which expands the skill's effective capability beyond local monitoring/command execution. Even though the data sent is public blockchain data, silent exfiltration to an external service can surprise users, leak operational interests or monitoring activity, and create an unintended data-sharing channel.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
Importing and using Telegram messaging in a skill described as running monitoring commands introduces an external communications capability that is not clearly justified by the stated purpose. This matters because message-sending integrations can become covert outbound channels, especially in agent contexts where users may assume commands only read and display blockchain state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup instructions tell the agent to collect a Telegram bot token and chat ID and write them into a local .env file without warning that these are secrets that will be persisted on disk. Storing credentials this way can expose them to other local processes, backups, logs, or accidental disclosure, especially in shared or loosely secured environments.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs updating the .env file for configuration changes, including sensitive values such as Telegram credentials, without any user-facing notice that stored secrets are being modified on disk. This increases the chance of silent secret persistence, accidental overwrites, and unsafe handling of credentials during routine configuration changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Telegram alert transmission occurs in the monitor flow without any user-facing disclosure in this file beyond ordinary console status lines. Lack of disclosure undermines informed consent and makes the outbound communication channel harder to detect during normal use, especially in automated agent environments.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The code sends pool and transaction details to Telegram at the call site without an immediate user-facing disclosure or confirmation. While the payload is public on-chain information, automatic forwarding can still reveal the user's monitoring strategy, interests, or activity patterns to a third-party messaging service.

Session Persistence

Medium
Category
Rogue Agent
Content
cp .env.example .env
```

Then ask the user the following questions one at a time and write their answers into `.env`:

1. **Telegram Bot Token** — "Do you have a Telegram bot token? If not, open Telegram, search @BotFather, send /newbot and follow the prompts. Paste your token here, or say skip to set up later:"
   → write to `TELEGRAM_BOT_TOKEN`
Confidence
95% confidence
Finding
write their answers into `.env`: 1. **Telegram Bot Token** — "Do you have a Telegram bot token? If not, open Telegram, search @BotFather, send /newbot and follow the prompts. Paste your token here, o

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal