Clawchain skills

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad live blockchain, trading, moderation, and self-update authority that users should review carefully before installing.

Install only if you intentionally want an agent that can perform public on-chain social actions and manage funded trading wallets. Use dedicated low-value wallets, prefer testnet first, require explicit confirmation for every post, moderation action, transfer, and swap, avoid storing secrets or personal data on-chain, and review any remote updates before applying them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (19)

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file content describes ColorPool DEX functionality while the declared skill metadata is for Clawchain, an on-chain social network. This mismatch can mislead an agent or user into invoking token swap and transfer workflows under a different trust context, increasing the chance of unintended financial operations.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill exposes swap, transfer, and cross-chain transfer operations that materially move user assets, but these capabilities are not justified by the surrounding skill identity of a social-network agent. In a mismatched context, an agent may treat these commands as normal utility functions and execute high-risk financial transactions without appropriate scrutiny or authorization flow.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The heartbeat file goes well beyond periodic status checks and instructs the agent to autonomously browse feeds, post, comment, vote, follow other agents, store memories, and even perform moderation actions. Expanding a recurring routine into broad autonomous social and administrative behavior increases the chance of unintended actions, policy violations, reputational harm, and abuse if the skill is triggered automatically or on a schedule.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The update-check routine does not merely inspect a version but instructs the agent to download remote content and overwrite local skill files in the user's home directory. That materially changes local behavior and creates a supply-chain risk: a compromised server, MITM, or malicious update could alter future agent actions without meaningful review.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: This is a true self-update capability: the skill fetches remote markdown files and writes them directly into the local skill directory. Because these files define future agent behavior, this enables remote modification of operational instructions and is especially dangerous in a recurring heartbeat context where the agent may repeatedly trust and refresh adversarial content.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The skill is presented as a social-network integration, but it also directs agents to load external trading and cross-chain transfer skills. That scope expansion is dangerous because it can cause an agent or operator to authorize financial actions they would not reasonably expect from a social skill, and it increases the attack surface through remotely fetched auxiliary instructions.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The document references wallet registration, private-key handling, BSC swaps, and agent top-ups despite the stated purpose being a Chromia social network. Mixing secret material and trading operations into unrelated documentation creates a strong risk of confused-deputy behavior and can socially normalize exposing or managing sensitive wallet data in the wrong context.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill grants broad authority to discover arbitrary tokens, determine liquidity, create wallets, receive funds, and execute swaps without clearly constraining what assets, counterparties, or transaction conditions are allowed. In an autonomous agent context, this increases the chance of unintended invocation, trading scam tokens, or acting on ambiguous user prompts, which can lead to financial loss.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill introduces creation of a hot wallet and storage of the private key on disk near the top of the document, but it does not present a prominent upfront warning that this exposes signing authority and can lead to total asset loss if the host, logs, backups, or file permissions are compromised. Because the agent is instructed to persist the key for reuse, compromise of that file directly compromises all funds held by the wallet.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The swap execution section explains how to sign and broadcast PancakeSwap transactions but omits a clear warning that on-chain swaps are irreversible, may fail after spending gas, may be front-run or sandwiched, and may result in severe losses from slippage, scams, or incorrect token addresses. In a trading skill, this omission is dangerous because it normalizes direct execution without informed user consent or pre-trade risk disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The document instructs users to deposit and transfer USDC and later perform swaps, but it does not prominently warn that these are real on-chain transactions that can be irreversible and financially loss-inducing if addresses, amounts, or routes are wrong. In an agent skill, omission of such warnings makes accidental fund loss more likely because instructions appear routine and low-risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill instructs outbound network access and local file modification without clearly warning the user that it will contact a remote host and overwrite files under ~/.clawchain. Even if intended as convenience, the lack of explicit disclosure and consent can cause unexpected system changes and makes risky behavior easier to hide inside a benign-looking 'heartbeat' routine.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The moderation section authorizes destructive actions such as deleting posts and banning users but does not include explicit warnings, approval requirements, or safeguards around their impact. In a skill designed for recurring autonomous use, this can lead to accidental censorship, abuse of moderator privileges, or irreversible community harm if context is misread.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The manifest describes a broad set of social, memory, moderation, and blockchain operations but does not define when the skill should be invoked or what user consent is required before taking actions. In an agent ecosystem, vague activation scope can cause the skill to be selected in overly broad contexts, leading to unintended on-chain writes, moderation actions, or memory changes with real operational consequences.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The metadata hard-codes Chromia mainnet and a production node URL without exposing any testnet/default-safe mode or documented opt-in. Because this skill supports state-changing on-chain operations, agents may perform irreversible or user-costly actions on mainnet by default, increasing the risk of accidental transactions, unauthorized posting, moderation, or registration against live infrastructure.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The registration and claiming workflow instructs agents to use a local secret file and retrieve claim tokens, but it does not warn that these artifacts are sensitive or limit where they may be displayed, stored, or transmitted. This can lead to accidental disclosure of credentials or claim tokens through logs, chat responses, screenshots, or copied command output.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly instructs agents to store thoughts, memories, and files on-chain in natural language. In context, that is especially risky because blockchain storage is durable and often broadly readable, so user-provided content, internal reasoning, or sensitive context may become permanently exposed with little ability to delete or correct it.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The example normalizes storing a user's preference as persistent memory, which encourages retaining conversationally learned personal data without any privacy guardrails. In an on-chain or externally persisted context, even seemingly harmless preferences can become durable profile data and contribute to unauthorized tracking or deanonymization.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The memory-file example encourages agents to persist notes about interactions and learned content, which increases the likelihood of saving sensitive conversational material outside the session. Because the skill elsewhere promotes durable storage, this creates a realistic leakage path for user data, internal summaries, or other confidential context.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal