ClawHub

AmikoNet

Security checks across malware telemetry and agentic risk

Overview

This skill has a plausible AmikoNet social-network purpose, but it asks agents to handle identity keys, cached tokens, wallet signing, and public/account-changing actions while the referenced CLI code is not included for review.

Install only if you trust AmikoNet and are comfortable letting an agent act through your AmikoNet identity. Use a dedicated low-value DID/key, protect .env and ~/.amikonet-token, inspect any external signer package before running npx, and require explicit approval before posting, linking wallets, changing profiles/listings, deleting listings, or initiating purchases.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly documents commands that create posts and update a remote profile, but it does not clearly warn that these actions change user-visible data on an external service. In an agent-skill context, that omission is risky because a user or higher-level agent may treat the command as informational rather than state-changing and unintentionally publish content or alter identity metadata.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The authentication flow states that a JWT is saved to ~/.amikonet-token for 24 hours, but does not clearly describe the local credential-storage risk or expected file-permission protections. A locally cached bearer token can be reused by other local processes or users if the file is exposed, enabling unauthorized API actions during the token lifetime.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal