ClawHub

Torch Prediction Market Kit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Solana prediction-market bot, but it can continuously spend vault funds from a local markets file and ships a broad financial SDK beyond the bot’s narrow workflow.

Install only if you intentionally want an autonomous Solana market bot. Prefer the reviewed bundled source or pin exact npm versions, fund a segregated vault with only the amount you are willing to risk, protect and review markets.json before starting, use a fresh disposable controller key, monitor logs and vault balance, and unlink the agent wallet when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (21)

Tp4

High
Category
MCP Tool Poisoning
Confidence
79% confidence
Finding
The skill markets itself as a tightly scoped, vault-routed prediction-market bot, but the bundled SDK/kit exposes many additional high-risk financial and administrative capabilities, including direct trading, vault withdrawals, authority operations, lending, swaps, and external verification/API features. Even if the bot claims not to call them, shipping a broader-than-described action surface increases the chance that a runner, wrapper, future code path, or prompt/tool misuse could invoke dangerous functions with user funds or privileged vault context.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The audit minimizes oracle risk by claiming resolution has no financial impact, but the skill metadata says the treasury accrues trading fees and the vault manages positions. If resolution affects perceived market outcome, settlement logic, treasury value, or operator actions, a bad oracle result can materially affect funds or market integrity; this kind of understatement can cause operators to deploy with insufficient safeguards.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation materially understates risk by claiming the ephemeral key has 'zero risk' while the function returns the raw Keypair object, which exposes secret key material to any code with access to the returned object. In this skill context, the agent key is authorized to operate a funded vault, so compromise of in-memory key material can enable unauthorized signing for vault-linked operations during the process lifetime.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file introduces a third-party wallet reputation lookup capability that is outside the stated Torch Market vault-bot scope. Even if not overtly malicious, sending wallet identifiers to an external reputation service expands data sharing and trust boundaries, creating privacy, compliance, and supply-chain risk that operators may not expect.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The code classifies on-chain Torch transactions into reputation-tracking event types, which extends behavior beyond simple market operations into behavioral profiling. While the logic is local, it supports downstream reputation attribution that may be undisclosed and can be used to score or monitor user activity in ways not described by the skill metadata.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module is documented as read-only Solana token-state querying, but it also performs off-chain network access via arbitrary token metadata URIs and CoinGecko. This expands the trust boundary and can leak operator IP/network metadata, introduce SSRF-style access to attacker-controlled URLs, and make behavior depend on untrusted third-party services.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file-level comments claim the code only queries token state from Solana, but getToken fetches arbitrary metadata from the URI stored on-chain and also calls CoinGecko. That mismatch is security-relevant because integrators may deploy this in restricted environments assuming no external egress, while attacker-controlled token metadata can trigger unexpected outbound requests.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The bundled IDL exposes a very broad Solana protocol surface—token creation, lending, treasury administration, fee harvesting, migration to Raydium, vault routing, and reward flows—that materially exceeds the stated purpose of a prediction-market bot. Even though this file is only an interface description, including and normalizing these capabilities inside the skill increases the chance that the agent can be prompted or misconfigured into invoking powerful financial operations unrelated to prediction-market execution, expanding the blast radius of compromise or prompt injection.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The presence of protocol-wide administrative instructions such as initialize, initialize_protocol_treasury, and update_dev_wallet is unjustified for an autonomous market bot and creates unnecessary access to dangerous control-plane actions. If the agent is ever given an admin key, mis-bound signer, or indirect transaction-building authority, these instructions could alter protocol configuration or fee destinations in ways that impact all users rather than only the bot’s own positions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The vault surface includes generic withdrawal and external-DeFi escape-hatch functionality, specifically token withdrawal from vault ATAs to arbitrary destination accounts, which goes beyond a narrowly scoped prediction-market bot. In the context of an agent-integrated vault, this is dangerous because any prompt injection, policy bypass, or transaction-assembly bug can turn a strategy bot into a generic asset-exfiltration tool, despite the metadata claiming the human retains control.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This SDK file exposes a much broader administrative and treasury-management surface than the skill metadata suggests, including token creation, vault administration, lending, migration, and fee harvesting. In an agent-skill setting, capability overreach is dangerous because an agent or wrapper may invoke privileged flows that users did not intend to grant, expanding the blast radius beyond a prediction-market bot.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
buildWithdrawTokensTransaction constructs authority-signed transactions that can move arbitrary vault-held tokens to any destination address. For a skill described as a prediction-market bot with vault custody, this is a high-risk escape hatch because compromise, prompt injection, or misconfiguration could drain all non-SOL assets from the vault to an attacker-controlled account.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
buildTransferAuthorityTransaction enables transfer of vault admin control to any supplied public key. In the context of an autonomous agent linked to a funded vault, exposing authority transfer is highly dangerous because a single mistaken or malicious invocation can permanently hand custody and all future control to an attacker.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Borrow, repay, and liquidation add leveraged treasury interactions and collateral flows unrelated to the stated prediction-market-bot purpose. Even if the on-chain program enforces correctness, including these builders in the skill increases the ways funds can be moved or exposed to liquidation events, making prompt-injection or policy bypass materially more damaging.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Migration to Raydium and vault-routed DEX swaps introduce external liquidity, routing, and treasury-conversion capabilities beyond the declared prediction-market scope. This broadens fund movement paths and can turn a market bot into a general trading and asset-routing agent, increasing loss potential if the agent is manipulated or misconfigured.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The whitepaper frames the skill around a much broader programmable token-launch, trading, lending, and treasury protocol than the declared skill purpose of a prediction-market bot. This mismatch can mislead operators about what capabilities the agent or integrated SDK may expose, increasing the risk of unintended financial actions or over-privileged integration decisions.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
These sections document direct token, market, treasury, migration, rewards, vault, swap, and lending instructions, which materially exceed the stated role of an autonomous vault-managed prediction-market bot. In an agent setting, understated scope is dangerous because users may authorize or deploy the skill under false assumptions about what transactions it can construct or route.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The wallet address is transmitted to an external API endpoint without any visible disclosure, consent, or configuration control in this file. Wallet addresses are sensitive identifiers in blockchain contexts because they enable cross-transaction correlation and third-party profiling even if they are public on-chain.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document encourages on-chain message posting while emphasizing permanence and attribution, but does not provide a clear warning that posted content is irreversible, public, and linkable to wallet activity. In an agent context, users may unknowingly cause sensitive data, prompts, or identifying information to be immutably published on-chain.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The whitepaper promotes vault-routed 'full custody' behavior without an explicit warning about who controls the vault authority, what actions the agent can trigger, and how users may lose practical control over funds or token flows. This is more dangerous in this skill context because the advertised bot is autonomous and financial, so understated custody implications can lead users to delegate substantial asset control under incomplete understanding.

External Transmission

Medium
Category
Data Exfiltration
Content
Fetches current price from CoinGecko public API:

```
GET https://api.coingecko.com/api/v3/simple/price?ids={asset}&vs_currencies=usd
```

- No API key required
Confidence
89% confidence
Finding
https://api.coingecko.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal