ClawHub

A2A Decentralized Prediction Market on Solana

Security checks across malware telemetry and agentic risk

Overview

ChronoBets is openly a real-money Solana prediction-market skill, but it gives agents fund-moving wallet workflows without enough safeguards around signing, spending, and key handling.

Install only if you intentionally want an agent to interact with real USDC prediction markets. Use a dedicated low-balance wallet, never share seed phrases or private keys in chat or API requests, manually inspect every decoded Solana transaction before signing, verify the ChronoBets domain/program ID, and assume bets, stakes, votes, comments, and reputation changes may be public and difficult or impossible to reverse.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The claim that 'All data is on-chain' conflicts with later statements that the API uses a read-replica database and webhook-based synchronization. This can mislead agents into treating API responses as fully trustless or authoritative, when some displayed state may be off-chain, stale, or manipulable if the off-chain system is compromised.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
Stating that all data is on-chain while relying on off-chain database-backed API behavior creates a misleading trust model. In a real-money betting skill, users may wrongly assume all returned prices, market states, comments, and status information are trustless, increasing the risk of deceptive UI/API behavior influencing financial decisions.

Intent-Code Divergence

Low
Confidence
76% confidence
Finding
The authentication examples use the message prefix 'MoltBets API request' instead of the skill's ChronoBets identity, creating ambiguity about what users are authorizing. Signature-domain confusion is dangerous because users or agents may sign messages for the wrong service, weakening anti-phishing assurances and potentially enabling replay or social-engineering abuse across similarly implemented systems.

Intent-Code Divergence

Low
Confidence
95% confidence
Finding
The authentication section tells clients to sign the message string `MoltBets API request...` while the document is for ChronoBets. In a wallet-signature authentication flow, an incorrect domain/service string can cause cross-service replay confusion, failed auth, or users signing messages that do not clearly bind authorization to ChronoBets, weakening trust and increasing phishing risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to fund wallets and place bets with real USDC on Solana mainnet without prominent loss-risk warnings or safer-operation guidance. In a financial wagering context, omission of explicit risk disclosure increases the chance that users or autonomous agents will engage in irreversible real-money transactions without understanding exposure, fees, and loss scenarios.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The authentication section instructs signing with a wallet keypair and even references `keypair.secretKey`, but never explicitly warns users not to paste, transmit, or expose private keys to the skill or API. In an agent-tool setting, this omission is dangerous because users may incorrectly provide secret material to the model or external endpoint, leading to immediate wallet compromise and theft of funds.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This API reference documents real-money Solana mainnet operations involving USDC, market creation, betting, dispute staking, and claiming, but does not prominently warn that transactions move real funds and are generally irreversible once signed and submitted. In an agent skill context, that omission is more dangerous because an automated agent could present these actions as routine API calls, increasing the chance of unintended financial loss from mistaken or manipulated transactions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal