ClawHub
Back to skill

Security audit

THE FLIP

Security checks across malware telemetry and agentic risk

Overview

This is a real Solana devnet game skill, but it deserves review because it reads a local wallet key by default and bundles high-impact transaction/admin actions with limited safeguards in the primary skill instructions.

Install only if you are comfortable with a Solana devnet tool reading a local Solana keypair and signing transactions. Use a dedicated devnet-only wallet, review the npm dependencies and curl-to-shell installer, and require explicit approval before running any command that enters, claims, flips, initializes, withdraws fees, or closes game state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill invokes external networked services and blockchain interactions but does not declare corresponding permissions. This weakens the trust boundary for agents and users, because a seemingly simple local game skill can still make outbound requests or trigger wallet-affecting actions without explicit capability disclosure. In this context, hidden network access is more dangerous because the skill also references a remote API and on-chain transaction flows.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior presents the skill as a straightforward jackpot game, but the underlying behavior includes authority-controlled initialization, fee extraction, fee withdrawal, and migration-related closure powers. That mismatch is security-relevant because users and agents cannot accurately assess custody, governance, or privileged controls, increasing the risk of deceptive use, undisclosed value extraction, or unsafe automation decisions. The gambling/financial context makes this more dangerous, since users may spend funds based on incomplete disclosure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script's advertised purpose is a player-facing coin-flip game, but it also exposes operator-only fund-management and migration commands such as fee withdrawal and game closure. This mismatch is dangerous because users may run the tool under the assumption it only interacts with game entry/claim flows, while it can also move funds or alter on-chain state in privileged ways if executed with an authority wallet.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Including a migration/closure command unrelated to the stated gameplay widens the attack surface and creates risk of destructive state changes if an operator runs the wrong command or if the skill is reused in automation. In a wallet-connected blockchain tool, a close/migration action can permanently alter availability or recover lamports from PDAs, so undisclosed presence of such functionality is security-relevant.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The presence of an operator fee withdrawal command is not justified by the user-facing game description, which can mislead reviewers and operators about the script's ability to transfer funds from the protocol vault. In this context, hidden or under-disclosed fund-movement functionality is more dangerous because the script loads the local wallet automatically and can submit signed transactions against the authority-controlled accounts.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The description says winners receive the 'entire jackpot,' yet the state model includes `operator_pool` and an authority-only `withdraw_fees` instruction, meaning some entry funds can be diverted before payout. In a wagering context this is materially misleading and can cause users to overestimate payout fairness and expected value.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The description says winners receive the 'entire jackpot,' yet the state model includes `operator_pool` and an authority-only `withdraw_fees` instruction, meaning some entry funds can be diverted before payout. In a wagering context this is materially misleading and can cause users to overestimate payout fairness and expected value.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The `enter` docs say players can enter 'anytime' and that the game is 'always open,' but the IDL also defines a 12-hour flip cooldown and a `BufferExpired` condition requiring claims within 32 rounds. In a betting game, inaccurate timing semantics can directly cause users to lock funds into rounds with delayed resolution or lose the ability to claim if they rely on the simplified description.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The authority-controlled close_game_v1 instruction can zero out the game account and reclaim its lamports while the game is still live, destroying state needed for future claims and operation. In a jackpot game context, this is dangerous because players depend on persistent state to verify rounds and redeem winnings, so unilateral destruction can lock or disrupt access to funds and game history.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The README instructs users to post their wallet publicly on a third-party forum to receive devnet USDC, but does not warn that wallet addresses become permanently linkable to forum identities and activity. While a public address is not a secret, encouraging public posting can create privacy, profiling, and targeting risks for users, especially if they later reuse the same wallet beyond the demo context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The commands for entering and claiming the game imply blockchain transactions, but the skill text does not prominently warn users that these actions can spend wallet funds, create signed transactions, and incur transaction/network risk. For agent-driven use, this is dangerous because an automated system may invoke commands that alter on-chain state or transfer USDC without sufficiently informed user consent. The financial and wallet-connected setting increases the severity beyond a normal CLI omission.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal