ClawHub

Multichain Protocol

Security checks across malware telemetry and agentic risk

Overview

This is an openly described crypto wallet skill, but it can move real funds and create recurring trading actions without enough built-in confirmation, limits, or provenance safeguards.

Review before installing. Use a dedicated low-balance dfx identity, verify the dfx installer and Menese canister provenance, start with testnet or very small amounts, require manual confirmation for every send/swap/bridge/approval, avoid null or unlimited approvals, and do not enable recurring automation unless it has clear spend caps, expiration, monitoring, and a cancellation path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises and instructs installation of shell-capable tooling and includes executable install commands, but does not declare corresponding permissions. In an agent ecosystem, undeclared shell capability undermines trust boundaries and can cause the host to permit execution paths the reviewer or user did not explicitly consent to.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This skill is explicitly designed for high-risk financial operations across many chains, yet the onboarding and feature overview omit clear warnings about irreversible transactions, slippage, bridge risk, smart contract risk, and fund loss. In this context, omission of risk disclosure materially increases the chance that an agent or user will invoke dangerous actions without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quickstart normalizes commands like sending ETH, swapping assets, and setting up DCA without adjacent safeguards, confirmations, or warnings about irreversible execution and automation risk. Because this is an agent skill for wallet operations, users may copy these examples directly, leading to unintended real-money loss from a single prompt.

Missing User Warnings

High
Confidence
97% confidence
Finding
The approval section describes granting a canister spending authority over user tokens but does not warn that approvals can persist and enable third-party transfers up to the allowance amount. That omission is especially dangerous because approvals are a common source of token draining and ongoing financial exposure even after the immediate action is complete.

Missing User Warnings

High
Confidence
96% confidence
Finding
The automation examples implement unattended recurring trades, stop-losses, cross-chain actions, and treasury sweeps without emphasizing the risk of repeated unintended execution, stale market assumptions, key compromise impact, or logic errors moving funds continuously. In an autonomous agent context, these patterns significantly amplify blast radius because a single misconfiguration can trigger repeated real asset movements across chains.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Token transfers and swaps are executed immediately from command-line parameters with no confirmation prompt, dry-run mode, recipient checksum/preview, or irreversible-action warning. In the context of a multi-chain wallet skill that can move real funds on mainnet, this increases the chance of accidental or induced loss through typoed addresses, malicious prompting, or operator mistakes.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal