ClawHub

agent-genesis SKILL

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed crypto wallet and mining tool, but it also installs broad mainnet DeFi and margin-trading powers through a mutable remote installer, so it belongs in Review.

Install only if you are comfortable giving this skill a real wallet and mainnet transaction authority. Use a fresh low-value wallet, avoid storing valuable API keys or funds in the same environment, review every transaction manually, and avoid the one-line remote installer unless you first inspect and pin the exact code you will run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (39)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill metadata presents Agent Genesis as an AGC mining skill, but the repository instructions clearly include a second DeFi trading/lending capability under the same package. This scope mismatch can mislead users and reviewers about what the installed skill can do, increasing the chance that wallet-connected trading, lending, or margin functionality is executed without informed consent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The README and skill metadata frame the capability as mining/earning AGC and agent working capital, but the documented behavior expands into swaps, liquidity provision, lending, and margin trading. This scope mismatch can mislead users and orchestrators into granting permissions or trust appropriate for a narrow mining skill while the skill actually performs higher-risk financial operations on mainnet.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Margin trading and broad DeFi account management are materially riskier than a mining or wallet-bootstrap workflow, especially because they can expose funds to leverage, liquidation, slippage, and approval risk on Base mainnet. In the context of an agent skill, presenting these actions as adjacent convenience commands increases the chance of unsafe autonomous execution beyond the user's expected risk tolerance.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented behavior expands from AGC mining into a general DeFi control surface, including trading, liquidity provision, and margin operations via an automatically installed secondary skill. Hidden scope expansion is dangerous because users may believe they are enabling only mining while the same wallet is exposed to higher-risk financial actions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Margin trading and token swap capabilities are not justified by the stated mining purpose and materially increase the risk of loss through leveraged positions, slippage, bad routing, or accidental execution. Bundling these powers into a mining skill broadens the blast radius if the agent is confused, manipulated, or the downstream code is compromised.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Running npm install on unpinned remote code can execute package lifecycle scripts and pull transitive dependencies from the registry, creating a meaningful supply-chain execution path on the local system. Because the script installs both the main project and a nested likwid-fi package without verification or lockfile-enforced immutability, a compromised dependency or repository update could lead to arbitrary code execution during installation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill loads MODEL_KEY and MODEL_TYPE from environment variables and a local .env file, even though those credentials are unrelated to core wallet creation, balance checks, or onchain mining execution. Pulling in unrelated AI-provider secrets expands the trust boundary and enables subsequent exfiltration or third-party proof generation using sensitive credentials the user may not expect this wallet/mining tool to access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The reclaim proof workflow contacts external services using the loaded MODEL_KEY, including an AI provider endpoint and a verifier-controlled session-signature endpoint, to inspect account metadata and generate a proof. In a wallet/mining skill, this is dangerous because it sends credential-authenticated requests to third parties unrelated to basic wallet operations, creating a realistic path for secret misuse, metadata leakage, or unauthorized attribution of the user's external account.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The install instructions direct users to fetch and execute a bootstrap script from a remote GitHub URL under an agent-genesis path, not a clearly pinned local asset belonging to the declared skill. In a wallet-handling DeFi skill, this creates a serious supply-chain risk: if the remote script or referenced repo is modified, users may execute attacker-controlled code before interacting with private-key material.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The ABI exposes a large set of DeFi and NFT-custody capabilities, including donation, margin/liquidation helpers, NFT locking/unlocking, rescue, and ownership transfer, which are materially unrelated to the stated skill purpose of AGC mining and working capital. In an agent-skill context, this mismatch is dangerous because an agent integrating this ABI may be induced to request wallet approvals or invoke asset-moving functions outside user expectations, expanding the attack surface for unauthorized fund or NFT handling.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The ABI exposes margin and liquidation-related functions such as checkMarginPositionLiquidate, getLiquidateRepayAmount, getBorrowAPR/getBorrowRate, and pool-state helpers that indicate support for leveraged DeFi activity unrelated to AGC mining. In this skill context, that discrepancy makes the capability set more dangerous because users expecting a mining/working-capital workflow could instead be routed into borrowing, liquidation, or other financially risky actions with potential loss of funds.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The ABI exposes margin and liquidation-related functions such as checkMarginPositionLiquidate, getLiquidateRepayAmount, getBorrowAPR/getBorrowRate, and pool-state helpers that indicate support for leveraged DeFi activity unrelated to AGC mining. In this skill context, that discrepancy makes the capability set more dangerous because users expecting a mining/working-capital workflow could instead be routed into borrowing, liquidation, or other financially risky actions with potential loss of funds.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The ABI clearly exposes a DeFi margin-position manager with borrowing, leverage, liquidation, repayment, and ERC-721 position transfer operations, which is materially inconsistent with the stated skill purpose of AGC mining / Proof of Agent earnings. This kind of capability mismatch is dangerous because an agent or user may grant approvals or invoke financially sensitive functions under false pretenses, enabling unauthorized trading, liquidation, or asset movement.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The exposed methods include addMargin, margin, modify, repay, close, liquidateBurn, liquidateCall, approve, setApprovalForAll, and transferFrom/safeTransferFrom, all of which can affect custody and leveraged financial positions. In the context of a skill advertised as coin mining, these unjustified capabilities significantly increase the chance of deceptive prompting, unsafe wallet approvals, and unexpected loss of funds through leverage or liquidation workflows.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The ABI exposes a full-featured DeFi vault with pool initialization, swaps, lending, margin operations, fee control, and admin setters, which materially exceeds the declared purpose of AGC mining/working-capital support. This capability mismatch is dangerous because an agent or user trusting the manifest could be induced to interact with unrelated high-risk financial primitives and privileged operations under false pretenses.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The interface includes sensitive operations such as modifyLiquidity, swap, lend, marginBalance, setProtocolFee, setMarginController, collectProtocolFees, and transferOwnership, none of which are justified by the advertised mining use case. In this skill context, hidden access to trading and protocol-administration surfaces increases the chance of unauthorized fund movement, risky leveraged activity, or deceptive workflow construction by an agent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The bootstrap script fetches code from a remote GitHub repository and immediately installs its npm dependencies, which expands the skill's effective behavior beyond the stated mining/working-capital description and creates a software supply-chain risk. Because the downloaded repository and packages can change over time, a user running this script may execute unreviewed code with the user's local permissions.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script includes repository cloning/updating and package installation capabilities that are not clearly justified by the narrow skill description, increasing the attack surface and making the skill capable of introducing arbitrary remote code. In this context, the mismatch between claimed functionality and actual installer behavior raises concern because users may not expect persistent code checkout and dependency resolution from the network.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file implements a full-featured DeFi trading client for swaps, liquidity management, pool creation, and margin trading, while the enclosing skill is described as AGC mining / Proof-of-Agent functionality. That mismatch is dangerous because users or higher-level agents may grant wallet access under a benign mining pretext, but the code is capable of executing real on-chain financial transactions and approvals far outside the stated purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code includes leveraged margin trading, debt repayment/modification, and pool-creation operations that can materially increase financial risk to the user. In the context of a skill advertised for AGC mining, these capabilities are unjustified and create a high risk of unauthorized or misunderstood fund movement, leverage exposure, and irreversible loss.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The header states the module is 'fully independent' of agent-genesis, yet it is packaged under the Agent Genesis skill. This contradiction is a supply-chain and trust-boundary red flag because it suggests the file was dropped into the skill without coherent provenance or purpose review, increasing the chance that users execute unrelated wallet-affecting logic under false assumptions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document provides direct mainnet and testnet broadcast commands that require an RPC URL and private key, but it does not warn that these actions can irreversibly deploy contracts and spend real funds. In an agent-oriented skill, operational instructions like this can normalize unsafe execution and increase the chance of accidental high-impact transactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The testing guidance says to run against live chains only, but does not mention that tests may consume gas, move assets, alter protocol state, or interact with production contracts. For a DeFi and smart-contract repository, this omission materially raises the risk of fund loss or unintended on-chain side effects during routine validation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instruction to always test against Base mainnet or Sepolia and never mock encourages execution against real environments without any guardrails. In the context of wallet operations, DeFi interactions, and ERC-4337 flows, this makes mistakes more dangerous because even small test actions can trigger real approvals, debt positions, swaps, or gas expenditure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to write an API key directly into a local .env file but provides no guidance on file permissions, exclusion from version control, secret rotation, or host compromise risks. In an agent environment, locally stored credentials may be exposed to other tools, logs, backups, or accidental commits, leading to credential theft and third-party billing abuse.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal