ClawHub

Alkahest Developer

Security checks across malware telemetry and agentic risk

Overview

This is documentation-only blockchain SDK guidance with risky copy-paste examples, but no hidden code or automatic execution.

Install only if you are comfortable with blockchain developer tooling. Treat all examples as testnet/demo patterns, never paste real private keys into source files or chat, verify package names and contract addresses from official Alkahest sources, and require explicit review before approving tokens or sending any transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes multiple copy-pastable examples that use literal placeholders like "0xPRIVATE_KEY" and immediately perform approvals, escrow creation, collection, and other on-chain actions without any surrounding warning about secure key handling, testnet-only use, transaction review, or the financial consequences of broadcasting transactions. In a developer-assistance skill, this is dangerous because users may adapt the examples verbatim into unsafe local scripts, hardcode secrets, or run real token-moving operations without understanding approval scope, chain selection, or fund-loss risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation demonstrates constructing the client with a raw private key string directly embedded in source code, but provides no warning about secret handling. In a developer-facing SDK reference, this can normalize unsafe credential practices such as hardcoding keys, committing them to repositories, or exposing them in logs and shell history, which can lead to wallet compromise and loss of on-chain assets.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The API reference presents write-capable methods such as approve, create, collect, pay, attest, commit, slash_bond, and arbitrate without clearly warning that they may submit transactions, spend funds, grant approvals, or otherwise mutate on-chain state. In this skill context, developers may copy examples into live environments and unintentionally authorize asset movement or incur irreversible blockchain actions and fees.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The reference shows constructing a signing client with a raw private key placeholder and immediately demonstrates methods that can submit transactions, but it gives no warning about secret handling, secure key storage, or the fact that these examples may cause live on-chain state changes. In a developer-facing blockchain SDK, this omission can normalize unsafe credential practices and lead users to hardcode keys, use production wallets in examples, or unintentionally execute transactions against real networks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation includes an inline example using `privateKeyToAccount("0xKEY")` without any accompanying warning about secret handling. In a developer-facing SDK reference, this can normalize hardcoding private keys or pasting real secrets into source files, which often leads to accidental key exposure through commits, logs, screenshots, or client-side bundles.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal