ClawHub

Cifer SDK

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only SDK skill whose sensitive blockchain, wallet, and remote encryption behaviors are disclosed and fit its stated purpose.

Before installing, verify the npm package and GitHub source, pin the dependency version, use least-privileged or test wallets first, protect any PRIVATE_KEY with a secrets manager or equivalent controls, review every wallet signature and transaction intent, and avoid sending regulated or highly sensitive files to the Blackbox service until its data-handling and retention policies are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents file encryption through a remote "Blackbox" job service but does not clearly warn that file contents are transmitted off-device to a third-party endpoint. In a security-focused encryption skill, users may wrongly assume processing is local, which can lead to accidental disclosure of sensitive files, compliance violations, or inappropriate handling of regulated data.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The server-side example normalizes use of `process.env.PRIVATE_KEY` without any caution about secure secret storage, rotation, least-privilege, or avoiding accidental logging/exposure. Although environment variables are common, presenting this pattern without safeguards can encourage unsafe operational practices that may result in wallet compromise and unauthorized blockchain actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal