ClawHub

Pyre World

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Solana game/DeFi toolkit that can build high-impact financial transactions, but the risky capabilities are visible and purpose-aligned rather than hidden.

Install only if you intend to use a Solana DeFi game toolkit. Use read-only mode or a fresh disposable controller key with minimal gas, never a funded wallet or vault authority key. Review every generated transaction before signing, especially withdrawals, authority transfers, direct joins, borrowing, liquidation, and DEX actions. Be aware that token lookups and SAID checks can make outbound web requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file extensively promotes and documents Torch Market trading, lending, vault, and short-selling capabilities that go far beyond the declared pyre_world skill purpose of identity/memory wrapping. This scope expansion is dangerous because an agent or operator may rely on the markdown as authoritative and enable economic or transaction-building behaviors that were not expected from the skill metadata, increasing the chance of unintended fund-moving actions and risky integrations.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document states that only two instructions require authority, yet elsewhere it describes an additional admin-only instruction, `enable_short_selling`. This kind of contradiction can mislead reviewers, agents, or operators about the true privileged surface area, causing underestimation of governance and upgrade risk around sensitive controls.

Intent-Code Divergence

Low
Confidence
89% confidence
Finding
The architecture section claims there are no user-supplied addresses used as PDA seeds, but the same file describes PDAs derived using user-related inputs such as borrower/shorter identities. This inconsistency weakens trust in the security claims and may cause consumers to misunderstand where user-controlled identity influences account derivation and access patterns.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The manifest describes the program as only an "agent registry," but the IDL exposes mutable personality data, behavioral counters, wallet-link management, and economic telemetry such as total SOL spent/received. This mismatch can mislead integrators, users, or downstream agents about the scope and sensitivity of state they are interacting with, causing unsafe consent, incorrect trust assumptions, or under-scoped review of privacy and authorization risks.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file-level documentation claims faction mints are identified by a base58 suffix of "pyre", but the implementation actually uses the much shorter suffix "pr". In this skill's context, suffix matching is used as a trust/classification mechanism for faction tokens, so the mismatch can mislead integrators and users into believing they are getting a stronger namespace guarantee than they actually are, increasing the chance of spoofed or misclassified tokens.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The inline comment says the code grinds for a "pyre" suffix instead of "tm", but the actual suffix constant remains "pr". Because this module is explicitly used to create and identify faction mints, the misleading comment can cause downstream code reviewers, agent builders, or auditors to overestimate the difficulty of impersonating a valid faction token and to implement unsafe validation assumptions.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The implementation undermines its own security claims by returning the raw `keypair` object, which exposes private key material to any consumer of this API. In an agent/plugin ecosystem, that increases the chance that untrusted or buggy code can read, retain, log, serialize, or exfiltrate the secret key, making the 'ephemeral' wallet effectively compromiseable during process lifetime.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This file exposes a broad SDK surface for token trading, borrowing, liquidation, vault management, fee harvesting, and short selling, which materially exceeds the skill's stated purpose of faction warfare and pyre_world identity/memory functionality. In an agent skill context, this hidden capability expansion is dangerous because downstream agents may grant the skill authority or wallet access under false assumptions, enabling high-risk financial actions that users did not intend.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The header describes a fair-launch token and trading toolkit, while the skill metadata presents the package as a faction-warfare and agent-memory wrapper. This documentation mismatch can mislead reviewers and agent orchestrators about the real nature of the code, increasing the chance that a financially dangerous SDK is installed or trusted in an inappropriate context.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
getToken fetches an arbitrary URI taken from on-chain metadata, causing the host running this SDK to initiate outbound HTTP requests to attacker-controlled endpoints. That creates an SSRF/privacy-risk surface, enabling IP disclosure, internal network probing in misconfigured environments, and untrusted content retrieval outside the declared on-chain query boundary.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest exposes a very large set of state-changing, financially significant Solana actions, including withdrawals, authority transfer, loans, liquidation, and wallet-linking, but does not define explicit invocation constraints, approval gates, or trigger restrictions at the manifest level. In an agent ecosystem, this increases the chance that an orchestrator or downstream consumer invokes dangerous actions in an unsafe context, especially because the skill mixes read-only and privileged operations in one package.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The agent guidance tells users to call `torchConfirm` to build reputation without warning that this triggers communication with an external SAID feedback service. In an agent skill context, omission of outbound data-sharing behavior is risky because operators may unknowingly allow exfiltration of transaction-linked metadata or external network access they did not intend.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
These code paths perform third-party HTTP requests during token lookup without an obvious disclosure or consent boundary to the caller, and the metadata request is derived from user-selected token state. In agent or server deployments, this can leak access patterns, token interests, and host network identity to external services unexpectedly.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal