ClawHub

OpenClawCash

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real crypto-wallet integration, but it gives an agent broad authority to move funds, trade, and manage payment infrastructure after limited approval.

Install only if you trust OpenClawCash and are comfortable letting an agent operate real crypto wallets and payment flows. Prefer per-action confirmation, use low-value or tightly scoped wallets and API keys, avoid importing private keys unless you intend managed custody, review webhook destinations carefully, and separately review or pin the external MCP package before using the npx path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

High
Confidence
79% confidence
Finding
The skill description presents this as a crypto wallet API, but the file documents prediction-market trading, order placement, cancellation, and redemption features. That hidden or under-disclosed expansion materially changes the risk profile: an agent granted this skill for wallet management could be induced to perform speculative trading or market actions the user did not intend, causing financial loss and policy/compliance issues.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill metadata advertises a wallet API, but the script also exposes checkout escrow and webhook-management capabilities that can alter payment flows and create outbound integrations. This scope expansion is dangerous because an agent or operator may grant or invoke the skill expecting only wallet actions, while the script can also create or modify payment infrastructure with financial and data-exfiltration implications.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest frames this as a wallet interaction skill, but the script also supports Polymarket trading, order placement, redemption, and cancellation. Hidden trading capability increases risk because a caller may unknowingly authorize speculative market actions beyond simple wallet management.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The create command dereferences a caller-supplied environment variable name via indirect expansion, allowing the caller to make the script read any environment variable available to the process. In an agent setting, this can expose unrelated secrets such as API tokens, cloud credentials, or service keys by transmitting their values to the remote API as an export passphrase.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The user-tag-set operation performs a global, apparently immutable account-level modification without passing through confirm_risky_action or any equivalent confirmation gate. In an autonomous-agent context, that makes accidental or unauthorized account-state changes easier, especially because the change is described as one-time and irreversible.

Credential Access

High
Category
Privilege Escalation
Content
ENV_FILE="$SKILL_DIR/.env"

if [ -f "$ENV_FILE" ]; then
    echo "Found existing .env at $ENV_FILE"
    source "$ENV_FILE"
    if [ -n "$AGENTWALLETAPI_KEY" ] && [ "$AGENTWALLETAPI_KEY" != "occ_your_api_key" ]; then
        echo "API key is configured."
Confidence
88% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal