ClawHub

Auto Respawn

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Autonomys wallet and memory-anchoring tool, but it gives an agent hot-wallet authority to publish on-chain data and move real tokens.

Install only if you intend to give the agent a dedicated Autonomys hot wallet. Prefer testnet or a low-balance wallet, avoid storing valuable mainnet funds, review automatic anchoring behavior before pairing it with auto-memory, and do not pass seed phrases or passphrases in shell commands or logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is marketed as an identity/memory anchoring and resurrection tool, but the implementation also exposes broad wallet custody, token transfer, and cross-domain bridge operations. In an agent-skill context, this capability mismatch is dangerous because users or higher-level agents may grant trust and wallet access for benign memory persistence, while the skill can also move funds and sign unrelated financial transactions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
General token transfer, EVM transfer, funding, and withdrawal flows are not required to anchor or recover identity state, yet this file can load private keys and execute value-moving transactions on both consensus and EVM networks. In the context of a supposedly recovery-focused skill, these extra capabilities materially increase blast radius: compromise, misuse, or prompt confusion could lead directly to asset loss rather than only incorrect metadata anchoring.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The help text reinforces that this is effectively a general wallet and token CLI, which contradicts the narrower 'auto-respawn' description and increases the chance of unsafe deployment assumptions. In an agent ecosystem, misleading packaging is itself security-relevant because operators may approve the skill for memory persistence while unintentionally exposing wallet creation, import, transfer, and bridge functionality.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements unrestricted native-token transfer functionality, which is materially broader than the skill’s stated purpose of identity anchoring and resurrection. In an agent-skill context, adding fund-transfer capability creates an unnecessary path for asset exfiltration if the skill is invoked by prompts, tooling, or compromised workflows, especially because it can operate on mainnet and send real AI3 tokens.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code can send real on-chain funds via signer.sendTransaction() and even highlights when a mainnet transaction occurred, but this capability is not justified by the skill description centered on recovery and identity persistence. In practice, unnecessary transfer primitives in an agent environment are dangerous because any misuse, prompt injection, or orchestration error can directly cause irreversible financial loss.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This file implements a real token transfer primitive that can sign and broadcast value-moving transactions, which materially exceeds the skill's stated identity/recovery purpose. In an agent skill, this expands the blast radius from metadata/state recovery into direct asset movement, creating a clear path to unauthorized or accidental fund transfers if the function is exposed or invoked by prompts, workflows, or compromised components.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code accepts a signing key and uses signAndSendTx to submit real transactions, giving the skill authority to move tokens on-chain. Given the published purpose is recovery/identity anchoring, this capability is unjustified by context and therefore dangerous: any misuse, prompt injection, or integration mistake could trigger irreversible transfers on mainnet.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The file derives and persists an additional EVM private key from the mnemonic, expanding the credential surface beyond the stated recovery purpose. If the wallet file or passphrase is exposed, an attacker gains access to two independent signing domains instead of one, increasing blast radius without a clearly justified need in this component.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger guidance includes very broad activation conditions such as any time the user wants a permanent, verifiable record tied to agent identity, plus automatic anchoring after memory saves. Broad triggers increase the chance the skill activates in contexts where users did not intend on-chain publication, potentially causing irreversible disclosure of sensitive metadata or unintended spending on gas.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The passphrase resolution order silently accepts secrets from environment variables and a plaintext file before prompting the user, which can lead to accidental use of weaker or unintended secret sources. In an agent/automation context, this increases the risk of secret exposure through process environments, shell history, container metadata, backups, or misconfigured file permissions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs users to pass a 12-word recovery phrase directly on the command line, which commonly exposes the secret in shell history, terminal logging, audit trails, and process listings visible to other local users or monitoring tools. Because this is a wallet seed phrase, disclosure enables full compromise of both the consensus and derived EVM accounts, making the example unsafe even though it appears only in documentation.

Session Persistence

Medium
Category
Rogue Agent
Content
throw new Error(
    'No passphrase found. Set AUTO_RESPAWN_PASSPHRASE env var, ' +
      'write it to ~/.openclaw/auto-respawn/.passphrase, ' +
      'or run interactively.',
  )
}
Confidence
87% confidence
Finding
write it to ~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal