ClawHub

Bsc Dev Monitor Skill

Security checks across malware telemetry and agentic risk

Overview

The wallet monitor is mostly recognizable, but the package exposes payment and platform credentials and includes deployment/publishing actions that are not appropriate for an end-user monitoring skill.

Do not run the deployment scripts, and do not install this package until the publisher removes and rotates the exposed credentials/API keys, aligns the actual price and billing mode, and clearly documents which safety checks are implemented. If you still use it, set finite monitor durations and only provide webhook URLs you control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (31)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The document embeds a live-looking billing configuration with a payment provider API key and describes charge-related capabilities that expand the skill from wallet monitoring into account billing operations. Even though this is documentation, exposing billing credentials and normalizing automatic charging creates a clear risk of unauthorized use, abuse of the provider account, and deployment of functionality outside the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The documented endpoints for balance checks, charges, and payment links introduce payment-provider account operations unrelated to the core promise of monitoring BSC developer wallets. This increases the attack surface and user-risk profile because a consumer expecting a passive monitoring tool may unknowingly invoke financial actions or integrate unnecessary billing code.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file claims the product is a 'pure monitoring tool' while simultaneously documenting automatic charging and payment processing. This contradiction is a security-relevant trust issue because it can mislead users and reviewers about the skill's real behavior, reducing scrutiny around financial operations and making deceptive billing easier to hide.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The README contains a concrete SkillPay API key, which is a real secret exposure. Anyone who reads the documentation can potentially use the credential to impersonate the skill, create or verify payments, consume account resources, or access billing-related functionality; this capability is also broader than the core purpose of a wallet-monitoring skill, increasing concern.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document directly exposes a third-party service login email and password for clawhub.ai. Hardcoded credentials in deployment documentation create immediate unauthorized access risk to the associated account and are unrelated to the wallet-monitoring function of the skill, which makes their presence especially suspicious and dangerous.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The manifest contains what appears to be a live SkillPay API key embedded directly in the skill metadata. Exposed payment credentials can be harvested by anyone with access to the package, enabling unauthorized billing operations, account abuse, or takeover of payment-related actions associated with the skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file is presented as part of a BSC wallet monitoring skill, but the code actually performs automated login and publication to a third-party platform. This mismatch is dangerous because it hides unrelated privileged behavior from users and reviewers, increasing the chance that credentials and local artifacts are transmitted unexpectedly.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code contains remote account login and skill publishing capability that is unrelated to the stated monitoring functionality. Embedding account-authenticated publishing logic in a skill package creates a supply-chain and account-takeover risk, especially if the script is run by someone who does not expect it to contact external services with privileged operations.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill unconditionally marks detections as charged with a billing amount in the output, despite no visible payment verification or authorization logic tied to the monitoring event. In an agent skill context, this can enable deceptive or unauthorized billing behavior, especially because the purpose is wallet monitoring rather than payment processing.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill embeds payment-generation and payment-verification logic, including a hardcoded SkillPay API key, even though wallet monitoring does not inherently require exposing billing secrets in code. This creates a real security issue because anyone with code access can extract and abuse the credential for unauthorized payment operations or account misuse, and the payment gate can be trivially bypassed by setting payment_verified=true in input unless server-side trust boundaries exist elsewhere.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes a real-looking payment/API key inside deployment metadata even though the skill’s purpose is only BSC wallet monitoring. It then includes that secret in data printed and later embedded into a publish URL, creating a strong risk of credential leakage, account abuse, or unauthorized charges if the key is valid.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comments describe this as a simulated deployment because of environment limitations, but the code includes a realistic credential and constructs an actual publish URL containing the full serialized payload. That mismatch can mislead reviewers or operators into underestimating the sensitivity of the data being exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples show billing occurring before monitoring via `chargeUser(userId)` but do not prominently warn that each monitor invocation will automatically deduct funds. This is dangerous because users or integrators may trigger repeated calls, retries, or automated polling without understanding the financial consequence, leading to unexpected charges and potential abuse.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document contains a live-looking SkillPay API key in plaintext, which is a direct secret exposure. Anyone with access to this file could reuse the credential to impersonate the skill, generate charges, access billing functionality, or abuse the associated account, especially because this skill’s context centers on payment integration.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The guide tells the user to copy login credentials or use a bearer token for CLI authentication, but it does not warn that these secrets must be protected or avoided in shell history, logs, screenshots, and clipboard sync. In a deployment guide, this omission can lead to credential leakage and unauthorized publishing or account compromise if the token is exposed.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The API deployment section instructs users to archive and upload the entire skill directory to a remote service without advising them to inspect the package for secrets, unnecessary files, or sensitive local artifacts first. This creates a realistic risk of accidentally transmitting credentials, test data, private keys, or hidden files to a third party.

Missing User Warnings

High
Confidence
99% confidence
Finding
The deployment guide directly exposes a real-looking email address and password and instructs users to log into a third-party service with them. Publishing credentials in plaintext enables unauthorized account access, account takeover, fraud, and possible reuse attacks if the same credentials are used elsewhere.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs users to retrieve an artifact from a server path via scp without clarifying authorization requirements, host verification, or sensitivity of the file. This can normalize unsafe server access practices and may lead users to access systems or artifacts they are not authorized to retrieve, or to trust unverified infrastructure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The document contains what appears to be a live secret API key directly in installation instructions. Exposed credentials can be harvested and abused to impersonate the service, consume paid resources, access billing-linked APIs, or pivot into related systems; in a public skill package, this is especially dangerous because the audience is broad and the leak is durable.

Missing User Warnings

High
Confidence
99% confidence
Finding
Publishing a live-looking API key in documentation without any warning or masking is a direct credential disclosure. Even if intended as an example, readers cannot distinguish it from an active production secret, and attackers routinely scrape public repositories for exactly this kind of token.

Missing User Warnings

High
Confidence
98% confidence
Finding
The deployment instructions tell the operator to use exposed login credentials without any secure-handling guidance, effectively encouraging secret sharing in plain text. This increases the chance of credential theft, unauthorized deployment actions, and account compromise by anyone who can read the file.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file exposes a live-looking secret API key directly in documentation, which can allow unauthorized parties to use the payment integration, generate charges, consume quota, or impersonate the skill's billing identity. In a publicly shared skill package, this is especially dangerous because documentation is widely copied, indexed, and retained, making secret compromise effectively permanent.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill encourages sending blockchain activity and monitor metadata to arbitrary webhook URLs without any warning about third-party data transmission, retention, or receiver trust. This can lead users to unknowingly forward potentially sensitive trading intelligence, wallet-monitoring targets, or activity logs to external services they do not control.

Missing User Warnings

High
Confidence
100% confidence
Finding
The script hardcodes plaintext credentials and transmits them to a remote login endpoint. This is highly dangerous because anyone with access to the source gains immediate access to the associated account, and accidental execution or code leakage can compromise the publisher account and any assets or skills tied to it.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script reads a local ZIP from a fixed path and uploads it to a remote service without clear consent or validation. This can unintentionally exfiltrate local package contents, including embedded secrets or proprietary code, especially because the file path is hardcoded and the action is part of an automated flow.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal