ClawHub

Elsa x402 API

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can use local private keys to spend funds and automatically sign blockchain transactions supplied by an external API, so it needs careful Review before use.

Install only with a dedicated low-balance payment wallet and a separate limited trading wallet. Keep execution tools disabled unless you are prepared for real onchain transactions, prefer external_signer mode where possible, inspect every transaction before signing, avoid debug logging, and do not rely on the advertised daily budget as a hard safety boundary unless the host runs the skill in a persistent process or adds persistent budget enforcement.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill explicitly requires environment access to PAYMENT_PRIVATE_KEY and optionally TRADE_PRIVATE_KEY, yet no corresponding permission declaration is shown beyond metadata. In a DeFi skill, access to signing/payment secrets is highly sensitive because these keys can authorize payments and transactions, so undeclared secret access reduces transparency and weakens review and policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The description frames the skill as portfolio analysis, token search, and swap execution, but the documented behavior also includes higher-risk capabilities such as limit-order management, perpetual trading, pipeline orchestration, transaction submission, and local private-key-based signing/broadcasting. This mismatch is dangerous because users or automated reviewers may grant trust based on the narrower description while the skill can perform materially riskier financial actions with direct fund exposure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill description says it provides portfolio analysis, token search, and swap execution, but this client also exposes limit-order creation/cancellation and perpetual position open/close operations. In a financial trading context, that capability mismatch is dangerous because higher-risk trading actions can be invoked without being clearly disclosed to users or reviewers, increasing the chance of unauthorized or surprising real-money trading behavior.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The client implements transaction-history retrieval that is not mentioned in the manifest description. While less severe than hidden trading functionality, undisclosed access to wallet transaction history still expands the skill's effective data-collection scope and can expose sensitive financial behavior without clear disclosure.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The exported tool surface exceeds the stated skill description by including limit-order and perpetuals trading capabilities, which are materially different and higher-risk financial actions than portfolio analysis, token search, and swap execution. This creates a scope-transparency problem: operators or users may enable or trust the skill under incomplete assumptions, increasing the chance of unintended access to advanced trading functions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start documentation tells users to export a private key directly into an environment variable but does not warn about secure key handling, shell history exposure, process/environment leakage, or the need to use a dedicated low-value payment wallet. In a DeFi trading skill, this is materially risky because users are being prompted to handle blockchain credentials for live micropayments, and poor operational guidance can lead to wallet compromise or unintended financial loss.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README explicitly tells users they can 'just talk naturally' and maps plain-language requests like 'Swap 10 USDC to WETH on Base' to tool execution. In a skill that can spend micropayment funds and, when enabled, perform real onchain swaps, broad activation guidance increases the chance an agent invokes paid or state-changing tools from ambiguous user prompts without sufficiently scoped intent or safety checks.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Multiple functions send wallet addresses, transaction hashes, order details, and trading parameters to external Elsa API endpoints, but this code shows no user-facing notice, consent step, or data-minimization control. In a DeFi skill, this can expose highly sensitive financial and behavioral data to a third party and may surprise users who expect local-only analysis or narrowly scoped execution.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code logs raw parsed arguments on execution and logs full error objects on failure, which can include wallet addresses, token selections, amounts, slippage, pipeline IDs, transaction hashes, and possibly confirmation tokens. In a DeFi trading skill, these details are sensitive operational metadata that can expose user financial activity, facilitate correlation of accounts and trades, and leak execution secrets into centralized log sinks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code directly loads a trade or payment private key from configuration and prepares a wallet client capable of signing transactions without any local approval gate, policy check, or transaction allowlisting. In a DeFi swap execution skill, this is especially dangerous because upstream API-driven pipeline tasks can lead to real asset movements, so compromise, misconfiguration, or malicious task generation could trigger unauthorized signing with live funds.

Missing User Warnings

High
Confidence
97% confidence
Finding
When a task enters sign_pending state, the local_signer mode automatically maps API-supplied transaction data and immediately signs and broadcasts it with the configured private key. Because this skill is designed for DeFi execution via an external Elsa API, the absence of user confirmation, transaction simulation, semantic validation, or recipient/contract allowlisting creates a direct path for malicious or incorrect upstream data to drain funds or approve unlimited token access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code logs the full request payload via `logger.debug({ endpoint, payload }, 'Calling Elsa API');` before transmitting it to the Elsa API. In a DeFi and payment-enabled skill, payloads can contain wallet addresses, token positions, trade parameters, or other sensitive financial/user data; writing them to logs without minimization or user disclosure creates a real confidentiality risk if logs are retained, exported, or accessed by operators or attackers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal