ClawHub

juicy

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent Juicebox developer skill, but several wallet-connected blockchain templates can create real financial risk if copied as-is.

Install only if you are comfortable reviewing blockchain code before use. Treat the generated UIs and snippets as scaffolds: replace all mock data with verified on-chain reads, test on testnets, simulate transactions, avoid unlimited token approvals unless explicitly intended, verify Relayr payment targets/calldata, and require clear user confirmation before any mainnet wallet signature or transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (28)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation gives conflicting guidance about GraphQL variable types, with earlier examples using Int for identifiers while the later 'GraphQL Type Inconsistencies' section says some equivalent queries require Float. In a developer skill that users may copy verbatim, this can cause silent query failures, incorrect data retrieval, or accidental mixing/omission of project data, which is especially risky for governance, treasury, and cross-chain monitoring workflows.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The NFT template is labeled and structured as a deployment UI, with wallet connection and a deploy button, but the implementation only alerts the user and logs tier data instead of submitting an on-chain transaction. This mismatch can mislead operators into believing a deployment occurred, causing operational errors, false assurances, and potentially unsafe follow-on actions based on a nonexistent contract state.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The Revnet template claims to deploy a revnet, but the code only assembles configuration, prints values, and shows guidance rather than performing a blockchain deployment. In a high-stakes blockchain context where deployment is permanent and financially significant, this deceptive behavior can cause users to act on the false assumption that immutable infrastructure has been created.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill claims users can 'attach' hooks to Juicebox projects, but the implementation only prints manual instructions and does not perform the on-chain attachment step. In a blockchain deployment context, this mismatch can mislead operators into believing a safety-critical configuration change was completed, causing projects to run without the intended hook protections or business logic.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The overview and progress steps represent 'Attach' as an executed operation, yet `attachToProject()` only displays guidance text and marks the step complete. This creates deceptive state in a high-risk workflow involving live smart-contract configuration, increasing the chance of user error, incomplete deployment, and false assumptions about project security controls being active.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The guidance says the generated UIs should support read-only viewing without a wallet, but several templates gate data loading behind wallet connection. In a blockchain payment/admin context, this mismatch can mislead users and downstream agents into believing a safer non-transactional mode exists when the UI actually pushes wallet connection first, increasing the chance of unnecessary wallet exposure and mistaken signing flows.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The payment UI is presented as showing project configuration and state, but the displayed treasury balance, token supply, and exchange rate are hardcoded placeholders. In a real-value transfer interface, false live stats can deceive users about what they will receive or the condition of the project, leading to uninformed on-chain payments that cannot be reversed.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The cash-out UI claims to estimate reclaim amounts from treasury surplus, but both token balance and reclaim preview are derived from mock values and a fixed formula rather than protocol state. Because cash-out operations burn tokens permanently, inaccurate previews can materially misrepresent redemption value and induce irreversible losses or user harm.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The admin UI displays treasury balance, distributable amount, surplus allowance, reserved tokens, and splits as if they are current, but they are hardcoded placeholders. In an administrative treasury interface, false operational data can cause project owners to authorize withdrawals or payouts based on incorrect assumptions, creating significant financial and governance risk.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill correctly states that cash-out returns should be shown in the project's base currency, but the example component still defaults `currencySymbol` to `ETH`. In practice, downstream implementers often copy examples verbatim, so a USDC-based project could display misleading redemption outputs, causing user confusion and potentially incorrect transaction expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes generating wallet-connected deployment UIs for blockchain contracts without a strong upfront warning that these actions can trigger real on-chain transactions, gas costs, and potentially irreversible deployments. Because the skill targets project, hook, and revnet deployment, the context makes the omission more dangerous: users may treat generated interfaces as low-risk forms instead of tools that can spend funds and create permanent state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill intentionally provides a generic write interface that can invoke any non-view contract function and request wallet signing, but it does so without an explicit user-facing warning that these actions are state-changing and may transfer value or trigger irreversible on-chain effects. In a contract-explorer context this is expected functionality, yet the absence of transaction-risk disclosure increases the chance that users sign harmful or unintended transactions, especially when exploring arbitrary contracts loaded from untrusted addresses and ABIs.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill sends user-supplied contract addresses to third-party explorer APIs such as Etherscan, Basescan, and Arbiscan to fetch ABIs, but it does not disclose that this lookup reveals user interest in specific addresses to external services. While contract addresses are public blockchain data, the lookup behavior can still leak user activity patterns, internal investigation targets, or sensitive project research metadata.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill enables compilation, deployment, optional verification, and project hook configuration for blockchain contracts that may affect live funds, but it lacks an explicit warning about the operational and financial risk. In this context, insufficient risk signaling is dangerous because users may deploy unreviewed Claude-generated Solidity or interact with mainnet projects without understanding that hooks can alter payment and cash-out behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description promotes simple standalone UIs for paying, cashing out, and minting, but does not prominently warn that these templates initiate real on-chain transactions involving ETH and token burns. In this context, omission of a clear value-transfer warning lowers user caution and makes misleading mock previews more dangerous, especially for users who may treat generated HTML as a harmless demo.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The omnichain deployment UI signs typed data for multiple chains and later submits a value-bearing payment transaction, but the template does not provide an explicit warning or review step explaining that the user is authorizing multi-chain actions. In a wallet UX context, this can mislead users about the scope and cost of what they are approving, increasing the risk of accidental authorization or social-engineering abuse if the template is reused as-is.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents transferring project ownership to the burn address as a recommended locking step, but the nearby presentation can lead users to copy an irreversible action without an explicit, immediate warning at the command site. In a deployment-oriented skill, omission of a strong warning is dangerous because it can permanently disable administration, upgrades, recovery, and future ruleset changes if performed prematurely or on the wrong project.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs users to approve `maxUint256` to the Permit2 contract as a default workflow, but it does not warn that unlimited approvals persist and can expose the user's full token balance if the approved mechanism is later abused, misconfigured, or used with a malicious spender flow. In a blockchain payment skill, this is a real security issue because users are likely to copy-paste the pattern into production integrations and wallets, normalizing broad standing approvals without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill provides direct ownership transfer and metadata update snippets without any surrounding warning, confirmation requirements, or discussion of irreversibility. In an agent skill context, this can cause an LLM or user to execute high-impact administrative actions that permanently transfer control of a project NFT or alter externally visible project metadata with little friction.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill describes a flow where users sign multi-chain requests and make an on-chain payment, but it does not prominently warn that these actions can cause irreversible contract execution, failed cross-chain bundles, or permanent fund loss. In this context, the omission matters because the skill is explicitly designed to facilitate live multi-chain execution, so readers may copy the flow into production use without understanding that a quote, payment target, and resulting executions must be independently validated.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example code submits an on-chain payment directly to `paymentInfo.target` with `paymentInfo.calldata` returned by the API, without demonstrating any verification that the returned recipient, amount, chain, or calldata matches trusted expectations. This is dangerous because if the API is compromised, spoofed, misconfigured, or queried in the wrong environment, the user could be induced to sign and send funds to an arbitrary address or execute unintended payment logic.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples show executable borrow flows that initiate a live on-chain loan without a prominent transactional risk warning at the point of use. In this skill’s context, that is dangerous because the collateral is burned at origination and the user may treat the snippet as routine integration code without appreciating that the action is irreversible absent repayment and incurs immediate economic commitment.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The skill embeds a browser UI that automatically connects to chain-specific RPC endpoints and queries live on-chain data, but the surrounding skill description does not warn users that using it will initiate external network requests. This is a real but low-severity issue because it can expose user IP/network metadata and create unexpected trust or privacy assumptions, especially when RPC URLs are controlled through shared configuration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example script calls `vm.startBroadcast()` and then directly invokes `queueRulesetsOf`, which will submit a real transaction if a user runs it with configured keys and RPC settings. In a skill intended to generate deployment and interaction scripts, presenting a live-broadcast pattern without an explicit warning or a safer dry-run/default flow increases the risk of accidental on-chain state changes, especially for governance-sensitive ruleset updates.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill includes a swap-based split hook example that sets `amountOutMinimum: 0` and provides no warning about slippage, MEV, or irreversible value loss. In a code-generation skill, this is dangerous because users may directly reuse the example or generated pattern in production, leading to frontrunable swaps and materially worse execution.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal