ClawHub

Torch Domain Auction Bot

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Solana domain-lending bot that can launch tokens and auto-liquidate loans through a user-controlled vault, with no evidence of hidden exfiltration or persistence.

Install only if you intentionally want a mainnet Solana keeper that can spend vault funds on eligible liquidations and launch domain tokens. Use a disposable linked wallet, keep the vault authority key out of the bot environment, review external network egress, and set conservative thresholds before running the monitor loop.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents access to environment variables and multiple network endpoints, yet no explicit permissions are declared. This creates a transparency and governance gap: operators may approve a seemingly low-privilege skill without realizing it can read configuration and send data externally. In an agent ecosystem, undeclared capabilities increase the chance of unsafe deployment and weaken review controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest frames the skill as a domain-lending protocol bot, but the documentation shows materially broader behavior: liquidation automation, vault-linked operations, token launch flows, wallet profiling, web scraping, and additional Torch SDK actions. This mismatch can mislead users about operational and financial risk, especially because some actions can affect on-chain assets and external data flows. Misrepresentation of scope is dangerous in security-sensitive agent skills because trust decisions depend on accurate disclosure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation includes token creation and market launch capabilities, but the manifest description does not mention them. Launching tokens is a materially different and higher-risk action than monitoring or liquidation because it can create on-chain assets and trigger market activity. Undisclosed creation capabilities broaden the attack and misuse surface.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation includes token creation and market launch capabilities, but the manifest description does not mention them. Launching tokens is a materially different and higher-risk action than monitoring or liquidation because it can create on-chain assets and trigger market activity. Undisclosed creation capabilities broaden the attack and misuse surface.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Wallet reputation profiling using SAID verification and trade-history heuristics introduces third-party data sharing and behavioral analysis that is not obviously necessary for core liquidation logic. Even though the data appears to be public wallet information, this kind of profiling can create privacy, fairness, and compliance concerns when not clearly justified or consented to. In a financial automation context, hidden profiling increases risk.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest omits that borrower wallet profiling and reputation analysis are part of the bot's behavior. That omission is security-relevant because users may not expect external verification lookups or heuristic analysis of wallets in a protocol operations bot. Undisclosed profiling reduces transparency and can hide meaningful privacy and policy implications.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation materially understates risk by claiming the ephemeral key has 'zero risk' while the returned object includes the raw Keypair, which contains private key material. In a signing SDK for a domain-collateral lending protocol, downstream code may trust this claim and handle the object less carefully, increasing the chance of key exfiltration, unauthorized signing, and loss of control over linked vault operations during the process lifetime.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The module is described as read-only Solana token-state querying, but getToken performs off-chain fetches to arbitrary metadata URIs and to CoinGecko. This creates privacy, availability, and trust-boundary risks: callers may unintentionally trigger outbound network requests, and metadata URIs can point to attacker-controlled infrastructure that can track requests or serve malicious content to downstream consumers.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The docstring claims read-only Solana token-state queries, but the file also performs off-chain HTTP enrichment. Misleading security-relevant documentation can cause integrators to treat the module as local/on-chain only, overlooking outbound requests and third-party dependencies.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The docstring claims read-only Solana token-state queries, but the file also performs off-chain HTTP enrichment. Misleading security-relevant documentation can cause integrators to treat the module as local/on-chain only, overlooking outbound requests and third-party dependencies.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The published skill purpose is narrowly framed as a domain lending/auction protocol, but the exposed interface includes a much broader set of high-risk financial primitives: token creation, bonding-curve trading, DEX migration, rewards, vault custody, wallet linking, liquidation, and arbitrary withdrawals. That mismatch is dangerous because users and upstream agents may authorize transactions under a misleading trust boundary, while the skill can in practice move or transform assets in many more ways than the manifest suggests.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The interface exposes a general-purpose vault system with deposit, withdrawal, wallet linking, authority transfer, token withdrawal, and swap support, even though the manifest frames the skill around domain lending. This creates a hidden custody layer that can hold and route SOL/tokens beyond the user's likely expectations, increasing the risk of misuse by agents, confused-deputy behavior, or overbroad authorization.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The vault docs claim that the vault PDA enforces spending caps at the protocol level, but the exposed API also includes unrestricted authority withdrawals and token escape-hatch operations. That is a security-signaling problem: integrators may rely on the claimed cap semantics for safety, while the actual interface allows full asset extraction by an authorized party or compromised authority path.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file’s contents materially diverge from the skill’s stated purpose of a domain auction/lending bot and instead describe a broad token-launch, trading, lending, governance, and vault protocol. This mismatch is dangerous because an agent or operator expecting narrow domain-collateral behavior could be induced to expose wallet permissions or trigger unrelated high-risk financial actions far outside the advertised scope.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The inclusion of message-board and identity/reputation features is unrelated to the claimed domain auction/lending use case, expanding the agent’s behavioral surface into public posting and attribution. In an agent setting, such undocumented side capabilities can cause unintended permanent on-chain disclosures, reputational harm, or abuse of signing authority for actions users did not expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation describes general token launch, trading, DEX migration, treasury management, reclaim/revival, and other speculative financial operations that are far broader than a domain collateral bot. In practice this creates a dangerous scope-confusion issue: an integrator may grant trust, funds, or signing access appropriate for domain lending while the skill actually enables much riskier token-market behaviors.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The action set includes high-impact operations such as token launches, liquidations, and lease rotations, but the manifest provides only broad descriptions and no explicit guardrails, authorization checks, or preconditions for invocation. In an autonomous mainnet protocol bot with vault custody and liquidation authority, this ambiguity can enable unsafe orchestration, accidental triggering, or prompt-induced misuse of sensitive actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The design explicitly supports loading a persistent private key from `SOLANA_PRIVATE_KEY` and discusses runtime key handling, but it does not include clear operational security guidance on secret storage, rotation, least privilege, or the risks of exposing a bot key tied to a liquidation vault. In this context, compromise of that key could let an attacker impersonate the agent, trigger keeper actions, and potentially abuse linked vault permissions or disrupt liquidation operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation describes autonomous liquidation and automatic lease rotation but does not prominently warn operators that the bot can directly cause loss of collateral and transfer of domain control as part of normal operation. In a domain-as-collateral system, that omission is materially dangerous because users may underestimate the real-world consequences of enabling the bot or misconfiguring thresholds, leading to unexpected asset seizure and domain takeover effects.

Missing User Warnings

Low
Confidence
71% confidence
Finding
The code performs undisclosed third-party and chain lookups on a user-supplied wallet address via verifySaid() and Solana RPC queries. Even though addresses are public, silent profiling can expose user activity patterns to external services and create a privacy and consent issue, especially in a financial protocol where wallet reputation may influence treatment.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The function transmits a wallet address to a third-party API without any indication of consent, disclosure, or minimization in this code path. Wallet addresses are public on-chain, but linking them to off-chain reputation queries can create privacy and profiling risks, especially in an agent context where users may not expect external enrichment services.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The code silently fetches token metadata and SOL pricing from third parties without clear disclosure or user control. In an agent skill context, this can leak usage patterns and wallet-associated interests to external services, and it introduces dependency on untrusted remote content for displayed token information.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The interface documents liquidation as a permissionless action where a borrower can lose collateral, but the surrounding skill context does not prominently warn users about irreversible asset loss and forced transfer mechanics. In an agent-consumable skill, weak disclosure around destructive financial operations increases the chance that users approve transactions without understanding that they can permanently lose domain-linked assets.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The vault withdrawal instruction is described tersely as withdrawing SOL from the vault, without an explicit caution that it transfers funds out of custody to the authority-controlled destination. In a skill that may be invoked by agents, understated wording around direct asset movement can mislead users into treating the action as administrative rather than a live fund transfer.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The token withdrawal instruction allows sending tokens from the vault to any destination token account, but the docs present it mainly as a composability feature and do not clearly emphasize the arbitrary-destination asset transfer risk. That omission is dangerous because an agent or user may underestimate that this is effectively a general token exfiltration primitive once authority is available.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal