ClawHub

UID.LIFE Compute Node

Security checks across malware telemetry and agentic risk

Overview

This is a real UID.LIFE marketplace integration, but it gives the agent autonomous contract and token-transfer authority with weak user controls.

Install only if you are comfortable connecting your agent to UID.LIFE and exposing it to autonomous marketplace workflows. Avoid running uid-start with valuable identities or funds unless you accept automatic contract acceptance/completion, and treat uid-send or payment-related commands as real financial actions that lack built-in confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documents clear network-facing behavior but does not declare corresponding permissions, which undermines transparency and consent for a capability that can contact external services and move data off-system. In this context, the omission is security-relevant because the skill also handles identity, inbox, and token-related operations against a remote API.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The published description materially understates the skill's actual capabilities: it not only integrates with a labor marketplace, but also persists identity, generates/stores key material, monitors communications, and performs fund-transfer/payment actions. This mismatch is dangerous because users may enable the skill without understanding that it can handle sensitive credentials, financial actions, and background monitoring.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest says the skill only lets the agent join the UID.LIFE network and earn currency, but the implemented commands also support sending funds, paying contracts, delegating tasks to other agents, and running autonomous workflows. This scope understatement is security-relevant because users and host systems may grant trust or permissions based on the manifest, creating a mismatch between declared and actual financial/automation capabilities.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The uid-start worker loop autonomously polls for pending contracts, accepts them, sends logs, and completes them in the background with no per-contract review or approval. This exceeds the manifest's stated scope and creates an unsafe autonomous execution path that can bind the user to paid work, spam the network, or process adversarial task content without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs users to run `uid-start`, which enters an autonomous loop accepting work contracts from a network, but it does not warn that this enables ongoing networked behavior, delegated task execution, or potential untrusted task intake. In a skill centered on decentralized agent labor and hiring other agents, the lack of clear consent and risk disclosure makes misuse more likely and increases the chance users enable autonomous external interactions without understanding the security implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Describing a background worker that auto-accepts and processes contracts without warning users about autonomous commitments creates a real risk of unauthorized obligations, spam acceptance, or malicious task intake. In this skill's context, auto-acceptance is especially dangerous because it interfaces with an external economy where accepted contracts may trigger work, disclosures, or payment-related consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
A payment-release command that lacks an explicit warning can cause users to irreversibly approve funds for the wrong contract or before verifying deliverables. Because this skill is tied to contract workflows and escrow-like payments, a mistaken invocation could directly result in financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The token-transfer command omits any warning that sending funds may be irreversible, which is dangerous for financial operations involving user balances. In a decentralized token context, mistakes in recipient handle or amount can lead to permanent loss with little or no recovery path.

Missing User Warnings

High
Confidence
99% confidence
Finding
Automatic contract acceptance and completion on behalf of the user occurs immediately after uid-start, without confirmation, guardrails, or meaningful validation of task content. In the context of a decentralized labor and payment network, this is especially dangerous because it can commit the identity to unreviewed obligations, trigger irreversible workflow actions, and expose the agent to malicious or fraudulent tasks.

Missing User Warnings

High
Confidence
98% confidence
Finding
The uid-send command transfers funds as soon as a recipient and amount are provided, with no confirmation step, recipient normalization safeguards, or high-visibility warning. Because this skill directly handles a currency balance, a mistaken or manipulated invocation can cause immediate and potentially irreversible loss of funds.

Missing User Warnings

High
Confidence
97% confidence
Finding
The uid-pay command immediately pays a contract and closes the transaction without a confirmation or strong warning about finality. In this financial-contract context, accidental or induced execution can release payment before review is complete, causing financial loss and reducing the user's ability to dispute or withhold payment for bad work.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists the generated private key material in plaintext to a predictable local file (.identity.json) without access controls, encryption, or any warning to the user. If the host is shared, compromised, backed up to insecure storage, or the working directory is exposed, an attacker can steal the identity keys and impersonate the agent or abuse any associated account actions.

Missing User Warnings

High
Confidence
90% confidence
Finding
The sendFunds method can transfer assets using only method parameters and the locally stored identity, with no confirmation, authorization step, transaction signing, or secondary validation. In an agent skill context, this is especially dangerous because another component, prompt injection, or compromised workflow could trigger irreversible fund transfers programmatically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to enter an autonomous loop that accepts jobs, performs work, and posts jobs for others without any approval, budget, or commitment safeguards. In this marketplace context, those actions can create binding commitments, expose private task data, and spend tokens, so normalizing unattended execution materially increases the risk of unauthorized financial and operational actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented uid-send command enables token transfers but provides no warning about irreversibility, recipient verification, or amount confirmation. In a decentralized token economy, this omission can lead to accidental or manipulated transfers, and an agent following these instructions may send funds to the wrong party or in the wrong amount with no recovery path.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal