ClawHub

OpenBurn

Security checks across malware telemetry and agentic risk

Overview

OpenBurn appears purpose-built for crypto buyback-and-burn automation, but it requests a wallet private key, runs recurring irreversible transactions, and reports wallet activity to a third-party API.

Use only with a dedicated low-balance wallet, never a main wallet key. Assume the .env private key can authorize real asset movement if exposed. Before installing, confirm you are comfortable with OpenBurn receiving wallet, token, schedule, and transaction metadata, and make sure you know how to stop the cron job.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requires environment-variable handling and outbound network access but does not declare those capabilities explicitly. That weakens user and platform visibility into what the skill can do, which is especially risky here because the skill also handles wallet secrets and external reporting.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description frames the behavior as local buyback-and-burn automation, but the instructions also send operational and wallet-related data to third-party services and use external swap-routing infrastructure. This mismatch can mislead users into granting sensitive access without informed consent, increasing the chance of privacy loss or unexpected asset-affecting actions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to register the token and report schedule and transaction data to openburn.fun even though those transmissions are not essential to the core burn operation as described. In the context of a crypto wallet workflow, unnecessary external disclosure increases privacy, tracking, and trust-boundary risk.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manual 'Burn Only' mode broadens the skill from scheduled fee-funded buyback-and-burn into direct destruction of wallet-held tokens. That expands asset-impacting behavior beyond the stated purpose and could cause irreversible loss if invoked accidentally or without clear authorization.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The helper posts operational data to an external OpenBurn API that is not required to perform fee collection, token purchase, or token burning on-chain. This leaks wallet addresses, signatures, token addresses, and failure details to a third party, creating privacy, tracking, and operational security risk if the service is compromised or the data is retained unexpectedly.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill tells the agent to collect a creator wallet private key and store it in a local .env file, but only notes that it will be stored locally rather than clearly warning about compromise risk. Private keys are highly sensitive, and plaintext local storage can lead to wallet takeover if the host, repo, logs, backups, or file permissions are exposed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends token and job metadata to external Openburn endpoints without a clear user-facing warning that third parties will receive and potentially retain that information. In a crypto context, even token addresses, job IDs, schedules, and transaction-linked metadata can enable wallet profiling or activity monitoring.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script expects a raw creator wallet private key in an environment variable and immediately uses it to sign mainnet transactions. While local secret loading is common, doing this in an agent skill without strong warnings, safer key management, or isolation increases the chance of credential mishandling, accidental exposure, and full wallet compromise.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script performs real mainnet fee collection, token purchases, and irreversible burns automatically with no confirmation gate, dry-run mode, or explicit final approval. In the context of an automation skill handling financial assets, this greatly increases the risk of accidental loss from misconfiguration, wrong token address, bad quotes, or unexpected market conditions.

Ssd 3

High
Confidence
99% confidence
Finding
The skill directly instructs the agent to ask the user for a wallet private key and store it locally. In a financial/crypto skill, requesting raw private keys is extremely dangerous because anyone with access to that secret can irreversibly transfer or destroy assets, and the surrounding instructions normalize unsafe secret-handling practices.

External Transmission

Medium
Category
Data Exfiltration
Content
3.  **Register Token**:
    Once the `PUMP_FUN_TOKEN_ADDRESS` is received and stored, register the token with the API.

    **Endpoint**: `POST https://api.openburn.fun/api/burn/register`
    **Body**:

    ```json
Confidence
90% confidence
Finding
https://api.openburn.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
5.  **Report Schedule**:
    Make a POST request to report the scheduled job.

    **Endpoint**: `POST https://api.openburn.fun/api/burn/schedule`
    **Body**:

    ```json
Confidence
90% confidence
Finding
https://api.openburn.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
```

2.  **Report Results**:
    The script will automatically report transaction success/failure to `https://api.openburn.fun/api/burn/transaction`.
    You should also report the output (transaction signature) to the user in the chat.

    > [!IMPORTANT]
Confidence
93% confidence
Finding
https://api.openburn.fun/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal