ClawHub

forgex

Security checks across malware telemetry and agentic risk

Overview

ForgeX is a coherent crypto wallet and trading skill, but it directs users toward high-risk wallet control, automated trading, and volume/price manipulation workflows with limited safety guidance.

Install only after independently verifying the npm package and publisher. Use isolated test wallets with small balances, avoid valuable private-key imports, do not paste real private keys or passwords into shell commands, protect exported backups, and require explicit review before any live transfer, trade, token launch, daemon, volume, sniping, or price-moving operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prominently documents commands for importing, exporting, and directly supplying private keys and passwords on the CLI, but provides no warnings about shell history exposure, plaintext key leakage, insecure CSV backups, or the risk of accidental disclosure to logs and terminal tools. In an agent skill context, this is especially dangerous because users may paste secrets into automation workflows, increasing the chance that private keys are exfiltrated or mishandled and resulting in irreversible wallet compromise.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README presents destructive operations such as deleting wallet groups and moving funds as routine commands without prominent warnings that these actions are irreversible and can cause permanent asset loss if mis-targeted. Because this skill is designed for rapid wallet and trading operations, omission of such warnings makes operator error more likely and can lead to accidental deletion or fund transfers that cannot be recovered.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises volume generation, zero-net-loss trading, turnover cycling, and automated price movement without any warning about financial risk, market manipulation concerns, or potential legal/compliance consequences. In context, these are not neutral administrative features: they are explicitly framed as mechanisms to fabricate volume and influence price, which makes the skill substantially more dangerous than a generic trading tool.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal