ClawHub

Agent Store

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real wallet-backed purchase workflow, but it needs review because it can spend funds, approve token use, buy an under-described VPS product, and change future agent model settings.

Install only if you intentionally want an agent to make wallet-backed purchases. Use a limited wallet, verify the product, price, asset, chain, recipient, approval amount, publisher, wallet CLI, and API host before each run, and separately approve any runtime config edits or model switching.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no explicit permissions even though its instructions require shell execution, filesystem reads/writes, environment access, and network activity. This undermines policy enforcement and informed consent because a caller or platform cannot accurately assess or gate the skill's real capabilities before execution.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest says the skill is for buying API keys or API credits, but the documented entrypoint also accepts `vps_instance`. That creates hidden functionality outside the stated purpose, increasing the risk of unintended invocation, scope creep, and unreviewed infrastructure provisioning behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
After purchasing an API key, the skill instructs the agent to edit runtime configuration, replace provider models, switch the active model, send a live verification request with the new credential, and start a new session. These are high-impact state changes unrelated to merely purchasing a product and can alter system behavior, route future traffic through a new provider, and expose newly obtained secrets over the network.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using the generic trigger word `get` makes the skill far easier to invoke accidentally in ordinary conversation. In this context the skill can initiate purchase and wallet-related flows, so overbroad matching materially raises the risk of unintended commercial or credential-handling actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill tells the agent to store a delivered API key in runtime configuration and immediately use it in a live verification request, but it does not require warning the user or obtaining consent for those sensitive actions. This is dangerous because it persists a secret locally and transmits it to an external service, expanding exposure without clear user awareness.

Missing User Warnings

High
Confidence
98% confidence
Finding
The wallet unlock response is logged in full after obtaining a session token, and the redaction list does not include the exact key name sessionToken. That can persist a live wallet session credential to disk, allowing anyone with log access to reuse the unlocked wallet session for signing or payment actions.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal