Back to skill

Security audit

BaoziClaw

Security checks across malware telemetry and agentic risk

Overview

This skill needs Review because it advertises Solana betting actions but ships inconsistent placeholder code and an unsafe shell-based path for transaction-related tools.

Install only for review or testing until the publisher aligns the shipped code, documentation, and tool list. Do not allow autonomous betting or claiming; require manual wallet review and signature for every transaction, verify the exact Baozi MCP version being executed, and avoid passing untrusted free-form inputs to the shell-backed tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The embedded implementation instructions tell users to recreate index.ts and route tool calls through exec to an external MCP server, expanding capability beyond simple documented market interactions. This is dangerous because it introduces a subprocess execution path and dynamic external package use that an agent or user may adopt without understanding the security implications.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The markdown includes shell commands that overwrite application code and execute npx against an external package, which is unjustified by the user-facing description of a prediction-market skill. In practice, this can cause arbitrary third-party code to be fetched and run at install/use time, creating a supply-chain and command-execution risk.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The skill documentation is a generic placeholder and does not describe the actual Solana prediction market behavior advertised in metadata. This mismatch can cause an agent or reviewer to misunderstand what the skill does, increasing the chance of unsafe invocation, incorrect trust decisions, or hidden high-risk financial actions being introduced without scrutiny.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The published skill metadata and description claim Solana prediction-market capabilities, but the actual implementation is only a generic echo-style example tool. This kind of functionality mismatch is a supply-chain and trust problem: downstream users or agents may enable or rely on the skill under false assumptions, which can conceal incomplete, placeholder, or swapped code and undermine review expectations.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file comments and exported metadata present this as the main entry point for the baozi-claw skill, but the code does not implement the advertised domain behavior. While not directly exploitable like code execution, misleading inline documentation and metadata can cause operators to trust, install, or approve the package based on false functionality claims, increasing operational and review risk.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file claims to be the main entry point for a Solana prediction-market skill, but it only exposes a generic example tool that echoes input. This mismatch can mislead users, integrators, or downstream agents about the skill’s actual capabilities and trust boundary, increasing the risk of unsafe deployment decisions or supply-chain confusion.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The inline comments present this as the production entry point for baozi-claw, but the implementation is just a trivial example tool. While not directly exploitable as code execution, misleading documentation can cause operators or automated systems to rely on nonexistent security properties or functionality, which is a trust and integrity problem.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill constructs a shell command string and executes it with child_process.exec, embedding toolName and JSON-stringified args directly into the shell invocation. This creates command-injection risk if attacker-controlled input can break shell quoting, and it also delegates sensitive market operations to an external package fetched at runtime via npx, expanding the trust boundary and supply-chain risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document embeds a shell snippet that overwrites index.ts and introduces subprocess execution without warning the operator that it modifies local code and runs external software. This is risky because users may copy-paste it directly, leading to unreviewed code changes and execution of untrusted dependencies in their environment.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill advertises placing bets and claiming winnings on Solana without prominently warning that these are real-funds, potentially irreversible wallet actions. In an agent context, this omission is especially dangerous because users may not realize the tools can trigger or prepare financially sensitive blockchain transactions.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are overly broad and generic, making it easier for an agent to invoke the skill outside an appropriate context. For a skill involving prediction markets and potential financial transactions, ambiguous triggers increase the risk of accidental activation, misuse, or invocation without sufficient user confirmation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The place-bet tool directly builds a betting transaction from provided parameters without any explicit confirmation, risk disclosure, or secondary approval step. In an agent context, this increases the chance of accidental or manipulated wagering actions, especially because the skill concerns financial transactions on prediction markets.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.