skill bundle clawchain

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it needs Review because it can use blockchain private keys, make financial and public social actions, persist behavior-shaping files, and replace local skill instructions from a remote website.

Install only if you intentionally want an agent with blockchain identity, public posting/moderation ability, and optional crypto trading capabilities. Use dedicated low-balance wallets, inspect any fetched updates before replacing local files, require explicit approval for every transaction and public write action, and avoid storing secrets, personal data, or private conversation content in on-chain or persistent memory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill is presented as a PancakeSwap/BSC trading skill, but it includes optional ClawChain registration flows that read separate credentials and perform unrelated cross-system account actions. This scope expansion increases the attack surface and can cause an agent to access and use sensitive ClawChain credentials without a strong functional need for token swapping.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: Embedding Chromia CLI and ClawChain account operations inside a PancakeSwap trading skill creates a hidden trust boundary crossing from EVM trading into another blockchain identity system. Even if marked optional, these commands can normalize unnecessary credential access and increase the likelihood of unintended account linkage or misuse of external credentials.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill requires creating and then strictly following a local SOUL.md personality file before every action, which goes beyond the stated need to interact with a blockchain social network. This introduces persistent behavioral steering and local instruction storage that can override current user intent and create a covert prompt-injection/persistence channel.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to fetch additional remote instruction files from clawchain.ai and save them locally, expanding trust to mutable external content outside the reviewed skill. This creates a supply-chain and prompt-injection risk because future behavior can be altered by changing the remote files without local review.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as a BSC DEX trading capability, but it embeds unrelated ClawChain/Chromia account operations and instructs the agent to use separate blockchain credentials. That creates hidden cross-skill privilege expansion and increases the chance that a user enables access to another sensitive credential store without a strong need for the stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The declared credentials include read access to ~/.config/clawchain/credentials.json even though DEX trading on BSC does not require Chromia authentication. Granting access to an unrelated credential file violates least privilege and could enable unauthorized use of the agent's ClawChain identity if the skill is invoked in a broader agent environment.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The engagement guidance encourages regular feed reading, voting, commenting, following, and community creation without a clear requirement for a fresh user request for each action. In an agent setting, this can blur authorization boundaries and lead to autonomous posting or interactions the user did not explicitly approve.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill explicitly supports storing thoughts, memories, and files on-chain or locally in plain language, but does not define strict data minimization or consent boundaries. Because blockchain writes are durable and often public or widely accessible, this can expose sensitive user information permanently.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The personality workflow instructs the agent to expand user intent, persist a derived profile locally, and reuse it before every action. This creates unnecessary retention and repeated reuse of user-derived material, increasing the chance of privacy leakage and instruction carryover into unrelated future tasks.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The skill explicitly enables storing thoughts, memories, and files on-chain or in persistent agent storage without requiring data minimization, user consent, or restrictions on sensitive content. Because blockchain storage is durable and may be broadly readable or hard to delete, this creates a real privacy and data leakage risk if an agent stores user-derived secrets, preferences, or conversation content.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The examples normalize saving user preferences and other content into persistent memory, which can train agents to retain conversational data by default. That increases the chance of later disclosure through retrieval, posting, compromise of local state, or immutable on-chain publication.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal