ClawHub

Passive Savings Crypto

Security checks across malware telemetry and agentic risk

Overview

This wallet skill is not clearly malicious, but it can sign real blockchain transactions, move funds, and grant persistent token spending approval while parts of its description understate those risks.

Install only after careful review. Use a dedicated low-balance Linea wallet, verify the contract addresses and RPC endpoint independently, require manual confirmation before every deposit or transfer, and revoke or avoid unlimited USDC allowance if you do not want persistent router spending authority.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no explicit permissions while requiring sensitive environment access, including `AGENT_PRIVATE_KEY` and `RPC_URL`. This weakens user and agent visibility into the skill's trust boundary and can lead to unsafe execution because the skill can sign and broadcast blockchain transactions despite appearing under-declared.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill description minimizes risk by saying there are 'no protocol interactions' and 'no special steps,' but the documented behavior involves direct contract calls, token approvals, protocol deposits, and handling a yield token instead of plain USDC. This mismatch can mislead users or autonomous agents into approving actions they would treat differently if the protocol risk, allowance risk, and asset-conversion semantics were disclosed accurately.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill metadata promises a passive yield product with 'no protocol interactions, no special steps,' but the documentation explicitly describes minting sUSDC, rebasing balance handling, and custom transfer routing. This mismatch can mislead users or agents into authorizing higher-risk DeFi actions than expected, including smart-contract interactions and nonstandard token transfer behavior.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The documentation says there are 'no protocol interactions' and 'no special steps,' yet the same file states funds are deposited into Aave and managed through specialized SYT workflows. In a wallet/agent context, deceptive simplification is dangerous because it can cause automated systems or users to underestimate custody, protocol, and transfer risks associated with yield-bearing and rebasing assets.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The README materially misrepresents the trust and action model by claiming 'no protocol interactions' and that funds 'move like regular USDC,' while later documenting onchain minting through a Locker Router and an unlimited USDC approval. In an agent-wallet context, this can cause users or autonomous systems to authorize risky DeFi actions under the false assumption that the skill is only handling inert balance management, increasing the chance of unintended token approvals and fund exposure.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly loads a raw wallet private key from an environment variable, which gives the code direct signing authority over the agent's funds. In a skill marketed as passive savings with 'no protocol interactions' and 'no special steps,' this credential-handling capability is broader and more dangerous than the stated purpose, increasing the risk of unauthorized transfers or hidden on-chain actions if the skill is modified or abused.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script directly performs on-chain approval and deposit transactions, contradicting the skill description that claims there are no protocol interactions or special steps. This is dangerous because users or agents may be misled into granting token permissions and moving funds into a protocol without informed consent, and the infinite approval amplifies loss potential if the router is compromised or behaves unexpectedly.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The comment about saving gas on future 'mints' reveals repeated protocol-specific token approvals and interactions that are not transparently presented in the passive-savings framing. While a comment alone is not executable, it corroborates a misleading safety model that can cause operators to underestimate that funds are being converted into a protocol position rather than remaining like ordinary USDC.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This script enables direct transfer of the user's yield-bearing token balance to any recipient supplied on the command line, which is broader than the skill's stated passive-savings behavior. In an agent setting, exposing arbitrary outbound transfer capability increases the chance of unauthorized fund movement through prompt injection, misconfiguration, or misuse of the tool.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The writeContract call performs an unrestricted token transfer using a runtime-provided recipient and amount, creating a generic fund-exfiltration primitive. Because the skill is presented as passive savings with 'no special steps,' this capability is especially risky: users or higher-level agents may not expect that invoking the skill can send assets to arbitrary external addresses.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation examples are broad enough that a general finance-related request like 'What's my balance?' or 'Send 50 USDC' could trigger this skill without strong activation boundaries. In an agent setting, that increases the chance of accidental use of a wallet-connected skill for real financial actions, including transfers or deposits on mainnet.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script loads a private key and immediately uses it to sign approval and deposit transactions without any in-file warning, confirmation, or disclosure to the operator. In an agent skill context, this is especially risky because automation can cause unattended signing of fund-moving transactions, reducing human review and increasing the chance of unintended asset loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The tool description exposes a real asset-moving operation ('Deposit USDC') and automatic approval behavior without clearly warning that it will submit on-chain transactions and move user funds. In an agent setting, this increases the risk of unintended deposits because the action is presented as routine and low-friction, which can mislead users or higher-level planners about financial finality and approval side effects.

Missing User Warnings

High
Confidence
97% confidence
Finding
This tool enables token transfer to an arbitrary recipient but does not clearly warn that it causes irreversible on-chain asset movement. The description is especially risky because it frames the action as 'Send USDC' via an abstraction layer, which may obscure finality and make accidental or manipulated transfers more likely in autonomous or semi-autonomous agent workflows.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal