ClawHub

The Flip Publish

Security checks across malware telemetry and agentic risk

Overview

This is a real Solana devnet game skill, but it deserves Review because it can read local wallet keypairs, sign fund-moving transactions, and includes admin operations with limited safeguards.

Install only if you are comfortable using a dedicated devnet-only Solana wallet. Do not point it at a mainnet or valuable keypair, inspect transactions before running enter, claim, withdraw-fees, or close-game-v1, and avoid the curl-piped installer unless you independently trust and verify the upstream source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a simple game participation/demo tool, but it also exposes privileged operator actions like fee withdrawal and game closure/migration. This mismatch is dangerous because users or integrators may grant trust or execution to the skill expecting only gameplay behavior, while the script includes materially more sensitive administrative capabilities.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script automatically loads a wallet secret key from disk or ANCHOR_WALLET, which gives it signing authority over the user's Solana wallet without any prominent warning in the skill description. In an agent-skill context, undisclosed credential access is sensitive because users may invoke the skill for gameplay while unintentionally allowing blockchain transactions from a local private key.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script includes an administrative fee-withdrawal command that is not disclosed by the skill's user-facing purpose as a coin-flip game. Hidden or under-disclosed fund-management capability is risky because it increases the blast radius of accidental execution and may surprise users, auditors, or orchestration systems that assume only player actions are present.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script exposes a game-closure/migration operation despite the skill being described as ordinary gameplay. A destructive administrative action like closing a PDA can interrupt service, alter availability, and potentially affect game state or funds, so hiding it behind an innocuous game skill materially increases operational risk.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The description promises that winners receive the full jackpot, yet the program state includes separate jackpot_pool and operator_pool balances and a withdraw_fees instruction for the authority. This makes the public-facing claim materially misleading and can cause users to misprice risk and expected payout before transferring USDC.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The description promises that winners receive the full jackpot, yet the program state includes separate jackpot_pool and operator_pool balances and a withdraw_fees instruction for the authority. This makes the public-facing claim materially misleading and can cause users to misprice risk and expected payout before transferring USDC.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The claim instruction documentation says it pays the 'entire jackpot,' but the broader IDL indicates deposits are partitioned and not all vault funds belong to winners. In a real-money game skill, this inconsistency is dangerous because it obscures economic behavior and can mislead users about what assets are actually claimable.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest frames this as a simple jackpot coin-flip game, but the program also includes privileged operator fee extraction and an authority-only destructive close path. Hidden or under-disclosed admin capabilities are a real trust and security issue in on-chain gambling-style apps because users may incorrectly assume funds are governed only by game rules when an operator can siphon fees or terminate state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to post their wallet publicly on a third-party site to receive funds and to pass a local keypair path on the command line, but it does not warn about privacy risks or safe key handling. Public wallet posting can expose users to profiling and targeting, and normalizing direct keypair-file usage without guidance increases the chance users mishandle sensitive credentials or use a funded key unsafely.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The markdown description is broad promotional copy and does not clearly bound what the skill will do, what systems it may interact with, or what preconditions and risks apply before use. For an agent-integrated skill involving wallet actions and external services, underspecified activation scope raises the chance that users or agents invoke it without understanding that it can trigger blockchain-related operations and dependency installation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to run an entry command that spends 1 USDC, but it does not present an explicit warning at the point of use that this creates a paid blockchain transaction and may be irreversible. In wallet-connected agent contexts, missing spend warnings materially increase the risk of accidental authorization and user financial loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Loading the wallet secret key from a default filesystem path or environment variable without a user-facing warning is a real safety issue for an agent skill. Even if the code is common in Solana developer tooling, the surrounding skill context makes it more dangerous because users may not realize the tool will access sensitive credentials and sign transactions on their behalf.

Missing User Warnings

High
Confidence
98% confidence
Finding
The close-game operation is destructive and executes immediately with no confirmation prompt, dry-run output, or safety interlock. In an operational script that can access a real wallet, this creates a high risk of accidental service disruption or irreversible state changes from a mistyped or misunderstood command.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The enter instruction explicitly transfers 1 USDC into the vault, yet the docs do not prominently warn that this is an irreversible asset transfer into a gambling contract with delayed and conditional payout. In the context of a live jackpot game, missing transfer-risk warnings increase the chance of users depositing funds without understanding custody loss and claim conditions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The withdraw_fees instruction moves funds out of the vault under authority control, but the docs do not provide a clear warning that the operator can extract accumulated fees from the same custody system holding player deposits. In a wagering application, under-disclosing operator fund movement materially increases trust and transparency risk for users.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The close routine lets the authority drain lamports and zero account data for the game PDA with no on-chain state checks, migration guardrails, or prominent disclosure. In a live game context, this can abruptly destroy state relied on by participants and can interfere with claims or auditability even if it does not directly move token jackpot funds.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal