ClawHub

Uniclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it handles wallet private-key material directly and can trade or withdraw tokens without built-in confirmation or limits.

Install only if you are comfortable letting this skill use a Unicity wallet identity for trading and withdrawals. Use a separate low-balance or testnet wallet, verify the UniClaw server before use, and require manual review of amount, price, market, and recipient before running buy, cancel, deposit, or withdrawal commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill invokes networked operations and consumes environment-controlled configuration, but the manifest does not declare corresponding permissions. Hidden or undeclared capabilities reduce user and platform visibility into what the skill can access, which is especially risky here because the documented flows involve remote trading, registration, deposits, and withdrawals. In a finance-adjacent skill, undeclared network and env use materially increases trust and review risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented and detected behavior goes beyond simple market browsing and position management into account registration, deposit/withdraw workflows, wallet restoration from local secrets, and direct signing using private key material. That mismatch is dangerous because users may grant trust based on a narrower description while the skill can perform sensitive wallet and fund-transfer actions. In the context of a token-trading skill, access to wallet secrets and arbitrary withdrawals sharply elevates the blast radius.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The documentation explicitly allows withdrawing UCT to any Unicity address, including a human's wallet, which extends the skill from portfolio management into unrestricted value transfer. That is dangerous because a compromised or misused skill could exfiltrate funds to attacker-controlled addresses under the guise of normal operation. In a trading context, withdrawals should be tightly scoped because they are irreversible financial actions.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file defines a dedicated helper that bypasses the public SDK surface and extracts the wallet private key from an internal field. For a market-trading skill, exposing raw key material is unnecessary and materially increases the chance of theft, exfiltration, signing abuse, or later misuse by other code paths.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The inline comment explicitly documents how to circumvent the SDK's public protection boundary by reading a TypeScript-private field that still contains the private key. Normalizing this bypass is dangerous because it encourages maintainers to rely on hidden secret-bearing internals the library intentionally withholds, making accidental or deliberate secret exposure more likely.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The script registers an agent account by sending an authenticated request using the wallet-derived private key, which expands the skill's effective capability beyond the stated trading-focused scope. Hidden or undocumented account-registration behavior can mislead users about what actions the skill enables and may cause unintended creation of on-chain or platform identities tied to their wallet.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata says it is for trading, browsing markets, and managing positions, but this script can transfer assets out via a withdrawal endpoint. That scope expansion is dangerous because users or higher-level agents may grant trust based on the declared trading-only purpose, while the code also enables direct fund movement using the wallet’s private key.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs users to execute token-backed trades and withdrawals without prominent risk disclosures, confirmation guidance, or warnings about irreversible loss. In financial workflows, missing safety prompts can lead to accidental trades, improper sizing, or mistaken withdrawals, especially when commands are copy-pasteable and act on real balances. The context makes this more dangerous because prediction-market and wallet operations directly affect assets.

Missing User Warnings

High
Confidence
97% confidence
Finding
This function exposes the wallet's raw private key with no user notification, approval step, or containment, turning a trading integration into a secret-export mechanism. In the context of a prediction-market skill, that is especially dangerous because compromise of the key can directly lead to loss of all controlled assets and unauthorized transactions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code loads the wallet, extracts the private key in hex form, and uses it directly to authorize a network registration request without any warning, confirmation, or minimization of secret exposure. Passing raw private key material through application logic increases the risk of accidental logging, memory exposure, misuse by downstream API helpers, or future code changes that exfiltrate the key.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script extracts the wallet private key and reuses it directly as authentication material across multiple API requests. If the server, transport handling, client logs, or any dependent API helper mishandles this value, the key can be exposed and an attacker could fully impersonate the wallet owner and potentially control funds or positions. In this trading-skill context, using a raw blockchain private key for routine server API auth is especially dangerous because compromise affects both account identity and asset control.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script can place or cancel real market orders immediately based only on command-line input, with no interactive confirmation, preview, or secondary check before executing a financially sensitive action. In the context of a trading skill, this increases the risk of accidental trades, misuse by a higher-level agent, or user harm from malformed parameters or unintended invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script submits a withdrawal immediately once called, with no confirmation prompt, review step, destination verification, or transaction summary acknowledgement. In an agent context, that increases the chance of accidental or unauthorized fund transfers, especially if arguments are supplied by another tool, prompt, or compromised workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script loads the wallet and extracts the private key, then uses it directly to authenticate a withdrawal request without any visible disclosure, least-privilege control, or isolated signing flow. Direct private key handling materially raises the risk of key exposure, misuse by unintended code paths, and silent asset exfiltration if the script is invoked in the wrong context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal