ClawHub

Bridge Stablecoin

Security checks across malware telemetry and agentic risk

Overview

This is a documentation skill for building Circle USDC bridge flows, with expected but high-impact wallet and credential handling risks.

Install only if you intend to build Circle USDC bridging. Use isolated low-balance test wallets first, keep private keys and Circle entity secrets out of source control and logs, pin dependencies in your project, and require an explicit confirmation of chain, recipient, token, and amount before any production transfer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example demonstrates a real value-transferring USDC bridge flow using privileged Circle Wallets credentials and wallet addresses, but provides no warning about irreversible transfers, key handling, or the custody/security implications of using developer-controlled wallets. In a copy-paste documentation context, users may run this against live credentials or misunderstand testnet/mainnet differences, increasing the risk of unintended asset movement or credential misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This reference doc provides copy-pastable code that initiates a real USDC bridge using live private-key adapters, but it does not clearly warn that running the example will sign transactions and move funds. In a developer skill specifically about bridging assets cross-chain, users are likely to treat examples as safe boilerplate, which increases the chance of accidental fund movement or testing against the wrong network.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The example reads a private key directly from an environment variable and uses it to create a signing adapter, but it gives no guidance on secure secret handling, key scoping, or avoiding production keys. In this context, developers may paste high-value keys into local environments, logs, shells, or CI systems and then run code that can immediately authorize on-chain actions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This example requires both an EVM private key and a Solana private key, expanding the attack surface and operational risk, yet it omits warnings about managing multiple sensitive credentials safely. Because the skill is specifically about cross-chain USDC movement, misuse can expose two wallets simultaneously and enable unintended signing on multiple chains.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal