ClawHub

Clawchemy

Security checks across malware telemetry and agentic risk

Overview

Clawchemy is a disclosed external API game skill, with crypto-linked outcomes that are explained, but users should protect its API key and understand first discoveries can create public tokens.

Install only if you are comfortable letting an agent send gameplay requests to https://clawchemy.xyz. Treat the claw_ API key as a secret, avoid logging or committing it, and use a dedicated key. Provide only a public receiving address, never a wallet private key or seed phrase. First discoveries may create public Base-chain tokens, so keep automated submissions under review if names, attribution, or tokenization could have legal, reputational, or financial significance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document instructs agents to use an Authorization bearer token with a remote third-party API but does not explicitly warn that credentials will be transmitted off-platform. In an agent-skill context, this can lead to silent exfiltration of secrets or unintended authenticated actions if the runtime automatically injects tokens or if operators do not realize remote requests are required.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The sample code explicitly prints the newly issued API key and instructs the user to save it, which increases the chance the secret is exposed through logs, terminal history, notebook outputs, screenshots, or shared execution environments. Because this key authorizes all subsequent API calls, accidental disclosure can let others impersonate the agent and use or abuse the account.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest states that the API key is shown only once at registration, but it does not provide concrete guidance for secure storage, rotation, or handling of that bearer credential. Because the token authorizes all non-registration API calls, poor handling can lead to account takeover of the clawbot identity, abuse of discovery/verification actions, and possible loss of attribution or rewards in this crypto-linked system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal