ClawHub

Qfc Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real QFC blockchain skill, but it can move assets, expose wallet secrets, and grant persistent permissions with insufficient built-in safeguards.

Review carefully before installing. Use a dedicated low-value testnet wallet first, never paste mnemonics or private keys into normal chat, and require explicit confirmation for every transfer, approval, swap, NFT listing or purchase, deployment, source verification, wallet deletion, and session-key action. Avoid the auto-approval and composite swap helpers with valuable assets unless you have verified the target contracts and are comfortable with persistent allowances.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The file implements NFT marketplace sale monitoring via watchNFTSales, but the finding indicates this capability is omitted from the manifest scope. That creates a scope mismatch: users, reviewers, or policy controls may not realize the skill can monitor marketplace activity, reducing transparency and undermining permission or review boundaries. In a blockchain interaction skill, hidden or undeclared event-monitoring features are more concerning because they can be used to observe wallet or marketplace behavior beyond the declared contract of the skill.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
This file can deploy arbitrary ERC-20 tokens and airdrop contracts, including a mintable token with owner-controlled supply, while the manifest description does not clearly disclose contract deployment capability. That mismatch is dangerous because users or upstream agents may treat the skill as a normal blockchain interaction utility and unknowingly trigger high-risk actions that create tradable assets, approvals, or distribution infrastructure on-chain.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README demonstrates saving and loading wallets with an inline plaintext password embedded directly in example prompts. In an agent setting, users may copy these examples verbatim into chat logs, shell history, screenshots, or telemetry, which can expose keystore passwords and undermine the stated wallet security model.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The examples encourage actions that can create irreversible on-chain effects, including transfers, token creation, contract interactions, and paid inference submission, without warning about network fees, permanence, or accidental use on mainnet. In an AI-agent context, natural-language examples can normalize risky operations and increase the chance of unintended transactions or financial loss.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The roadmap explicitly defines a natural-language trigger for deploying a token from a broad user phrase. In an agent setting, ambiguous trigger phrases can cause unintended execution of irreversible blockchain actions, especially when deployment, funding, and follow-on steps may be chained from ordinary conversation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This section describes token deployment and related on-chain actions without any mention of user warnings, confirmations, cost disclosure, or irreversibility. In a wallet/contract skill, omission of these safeguards increases the likelihood that users or upstream agents initiate costly, permanent transactions without informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples normalize destructive or financially significant actions such as transfers, minting, burning, approvals, airdrops, swaps, deployments, and purchases without consistently pairing them with prominent confirmation and risk language. In practice, examples strongly shape agent behavior and user prompting; unsafe examples can increase the chance that an agent executes irreversible blockchain operations with insufficient confirmation or context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The example instructs users to create a wallet, sign, and submit a paid on-chain inference task, but it does not warn that this spends real funds, transmits task content to the network/miners, and may expose submitted prompts or data. In a blockchain skill, omission of cost/privacy warnings is materially risky because users may paste secrets or unintentionally authorize fee-bearing actions based on copy-paste examples.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide includes ready-to-run examples for swaps, liquidity actions, and vault deposits/withdrawals that trigger real on-chain state changes, but it does not warn that these operations can move funds, incur slippage, approve spending, or be irreversible once submitted. In a blockchain interaction skill, users may reasonably copy these examples directly, increasing the risk of unintended asset loss or execution on the wrong network/account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example explicitly destructures and exposes `privateKey` during wallet creation without any warning about secrecy, secure storage, or avoiding logs and source control. In a blockchain deployment context, leaked private keys allow full theft of wallet funds and complete loss of control over deployed assets and administrative actions tied to that signer.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The mainnet guidance mentions production deployment but does not clearly warn that token deployment and transfers on mainnet are irreversible and spend real funds. In this skill's blockchain context, omission of that warning increases the chance of operator mistakes, accidental spending, or unintended permanent token issuance on production.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide documents wallet deletion as a simple call that removes keystore material and metadata, but it provides no warning, confirmation flow, backup reminder, or recovery caveat. In a wallet-management context, this can lead to irreversible loss of access if users delete the only stored keystore without preserving the mnemonic or other backup.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs on-chain registration and grants a session key the ability to submit inference and transfer funds, with spending limits and a 24-hour validity period, without an explicit interactive confirmation or strong warning to the operator. In the context of a blockchain wallet skill, silently creating autonomous permissions is materially risky because a user may run a 'demo' script expecting read-only behavior and unintentionally authorize delegated spending activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill automatically issues ERC-721 approval transactions before listing, which grants the marketplace contract authority over the user's NFT without an explicit confirmation step in this action path. In an agent setting, this is dangerous because a user may intend only to list an NFT, while the tool silently performs an additional privileged on-chain action that can enable asset transfer if the marketplace address is malicious or incorrect.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The helper automatically grants MaxUint256 allowance whenever the current allowance is insufficient, which exposes the user's entire token balance to the spender contract if that contract is malicious, upgradeable, compromised, or later abused. In this skill, the danger is increased because approvals are issued programmatically with no user-facing confirmation or option to approve only the exact amount needed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This method performs two value-moving actions in sequence—wrapping native QFC and then swapping it—without any intermediate confirmation, preview, or explicit disclosure that two separate transactions will occur. That can cause users to unintentionally convert assets and incur extra gas or execution risk, especially if the pool/token parameters are incorrect or manipulated by upstream callers.

Missing User Warnings

High
Confidence
98% confidence
Finding
After swapping into WQFC, the function unconditionally unwraps the signer's entire WQFC balance, not just the amount received from the swap. This can drain previously held WQFC unrelated to the current trade, causing unintended asset movement and potential loss of position or funds if the user expected to retain wrapped balance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
createWallet() returns both the mnemonic and raw private key directly to the caller, which exposes the most sensitive wallet secrets in plain application memory and any downstream logs, telemetry, UI rendering, or agent responses. In an agent skill context, this is especially dangerous because generated outputs may be persisted or shown to users automatically, making accidental key exfiltration and irreversible asset theft much more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
sendQFC() broadcasts a value-transfer transaction immediately once called, with no built-in confirmation, policy check, recipient allowlist, or human verification step. In an agent-driven blockchain skill, a prompt injection, tool misuse, or simple user misunderstanding could trigger irreversible transfers to attacker-controlled addresses.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
}

  /**
   * List an NFT for sale. Auto-approves the marketplace if needed.
   * @param marketplace - marketplace contract address
   * @param nftContract - ERC-721 contract address
   * @param tokenId - token ID to list
Confidence
94% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
const connected = signer.connect(this.provider);
    const nft = new ethers.Contract(nftContract, ERC721_APPROVE_ABI, connected);

    // Auto-approve marketplace if not already
    const approved = await nft.getApproved(tokenId);
    const approvedForAll = await nft.isApprovedForAll(connected.address, marketplace);
    if (approved.toLowerCase() !== marketplace.toLowerCase() && !approvedForAll) {
Confidence
94% confidence
Finding
Auto-approve

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal