ClawHub

Mine Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real AWP benchmark worker, but it needs Review because it runs autonomously with wallet-signing authority and some controls are broader than the stated workflow.

Install only if you intentionally want an autonomous Benchmark Subnet worker using an AWP wallet. Use a wallet intended for this activity, verify the API endpoint, avoid exposing broad secrets in the environment, review notification targets before enabling realtime messages, and stop or clean up the worker when you no longer want it signing benchmark requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The metadata claims the skill does not handle AWP wallet operations, but the body performs wallet initialization, unlocking, address retrieval, and displays wallet information. This mismatch can mislead users and policy systems about the skill's true scope, increasing the chance that wallet-sensitive actions occur without appropriate review.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The uninstall path ignores the instance-specific startup path and instead reads a hardcoded global file in /tmp, creating a cross-instance confusion risk. On multi-agent or shared systems, this can remove the wrong agent or clean up the wrong files, impacting availability and potentially another user's worker instance.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script unlocks the AWP wallet and signs requests, which directly crosses the stated boundary that this skill should not handle wallet operations. Because it auto-unlocks and reuses a session token to authorize arbitrary Benchmark API requests, the skill gains signing authority that could be abused for actions beyond narrow worker lifecycle management.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This helper exposes a generic signed HTTP primitive where the caller controls METHOD, PATH, and BODY, effectively turning the skill into a broad authenticated API client. In the context of an agent skill, that is dangerous because any upstream prompt or tool misuse can trigger signed actions against the Benchmark API that were never intended by the manifest's narrow worker-management scope.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The header comment claims no environment variables are needed, but the code later copies and relies on os.environ, including wallet/session-related values. This mismatch can mislead operators into running the worker without understanding that sensitive environment-based credentials are consumed and propagated to child processes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill starts a background networked worker, sends notifications, and performs ongoing external activity, but does not require a clear up-front consent gate describing persistence, API communication, and autonomous actions. In agent environments, silent long-running background behavior materially increases risk of unauthorized external communication and resource consumption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The worker clones the full process environment into sub_env and passes it to wallet/signing subprocesses, including sensitive values like AWP_SESSION_TOKEN and potentially WALLET_PASSWORD. Any invoked helper binary or script compromise would immediately expose these secrets, enabling unauthorized signing or wallet actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The worker forwards full question and answer content, status details, and performance data to external notification targets and to the OpenClaw messaging channel without any meaningful consent, redaction, or target restrictions. Because benchmark content is remote-controlled by the service, this can leak sensitive or adversarially crafted data to third-party channels and users.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script automatically unlocks a wallet using an environment-injected secret and refreshes that session repeatedly without any explicit user-facing disclosure or runtime consent. In this skill context, that is more sensitive because the worker runs autonomously in the background and can maintain authenticated access for long periods, increasing the blast radius if the environment or process is compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal