ClawHub

Agentsmint

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent NFT-platform integration, but it enables costly or irreversible blockchain and marketplace actions without clear confirmation safeguards.

Install only if you want an agent to manage NFTs through AgentsMint on Base. Before any deploy, mint, buy, list, confirmation, or ownership-transfer step, require a separate confirmation showing the exact wallet, chain, contract, recipient, listing or collection ID, price, gas estimate, transaction hash, and ownership setting. A dedicated low-balance wallet is safer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill's activation guidance is broad enough that an agent could invoke it for generic NFT-related requests without clearly establishing user intent, wallet readiness, or transaction authorization boundaries. In a blockchain context, over-broad triggering is risky because the skill supports contract deployment, listing, and purchase flows that can lead to irreversible on-chain or marketplace actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation presents deployment, minting, listing, and purchase confirmation as straightforward API steps but does not require explicit warnings or confirmation for financially relevant and irreversible actions. Because these operations can create contracts, transfer ownership, publish sale listings, or finalize purchases tied to blockchain transactions, an agent may execute high-impact actions without adequate user awareness or consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal