ClawHub

Million Bit Homepage NFTs

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its NFT-minting purpose, but it needs review because a crafted image filename could cause unintended local JavaScript execution during mint preparation.

Review before installing. Use only trusted, plainly named local image files, inspect the prepared transaction fields before wallet approval, and remember that a confirmed mint spends real ETH plus gas and makes the image, URL, and metadata public and effectively irreversible on Base.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to execute local shell commands such as npm install and multiple scripts under scripts/, but it does not declare corresponding permissions. Undeclared shell capability weakens policy enforcement and review because an agent may execute commands the user or platform did not explicitly authorize, increasing the chance of unsafe command execution or unexpected system/network access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill emphasizes permanence and on-chain publication, but it does not present a clear, explicit warning that the uploaded image and URL will become permanently public and effectively irreversible once submitted. Users may unintentionally publish sensitive, copyrighted, or identifying content, and the blockchain context makes mistakes unusually hard to remediate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal