ClawHub

Bsc Dev Monitor Skill

Security checks across malware telemetry and agentic risk

Overview

The skill’s wallet-monitoring purpose is plausible, but it exposes real-looking payment and ClawHub credentials and includes deployment scripts that can publish uploads.

Review before installing. Do not run the deployment scripts, and do not trust the embedded credentials; the publisher should remove and rotate exposed keys/passwords, use environment-based secrets, clarify the exact billing model, and document webhook and monitoring-retention controls before this is safe for typical users.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (24)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The report embeds a live-looking SkillPay API key directly in a Markdown delivery document. Exposed payment or service API credentials can be copied by anyone with repository or publication access and then abused to create charges, impersonate the service, or consume paid resources; the wallet-monitoring context does not require publishing such a secret, which makes the exposure especially unjustified.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The installation guide directly discloses what appears to be a live SkillPay API key in plaintext. Exposed payment-service credentials can be copied by anyone reading the documentation and then abused to impersonate the service, verify or create payment-related requests, consume quota, or access associated account data depending on provider permissions.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The README includes a concrete, live-looking SkillPay API key directly in documentation. Exposing payment-provider credentials in a public-facing file can enable unauthorized API use, fraudulent charges, service abuse, or compromise of billing workflows; in this skill’s context, the key is especially sensitive because payment handling is part of the core functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The document directly discloses a third-party service account email and plaintext password for clawhub.ai. Embedding live credentials in deployment instructions creates immediate risk of unauthorized account access, takeover, abuse of billing/reputation, and possible lateral access to associated deployment assets; this is unrelated to the core purpose of a BSC wallet monitoring skill and therefore especially suspicious.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The file exposes what appears to be a live SkillPay API key directly in the manifest. Embedded secrets in distributable skill files can be copied by anyone with access to the package, enabling unauthorized charges, abuse of the payment provider account, or fraudulent transactions tied to the owner.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file is an automated deployment script, not wallet-monitoring logic as described by the skill metadata. This mismatch is dangerous because it can conceal unexpected remote actions, including account login and package upload, which a user installing a monitoring skill would not reasonably expect.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains hardcoded platform credentials and uses them to authenticate to a third-party service and upload a local archive. Embedding reusable login secrets plus remote upload capability creates immediate account-compromise risk and enables unauthorized publication or tampering if the code is shared or inspected.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comments and behavior identify this as an auto-deploy script, while the surrounding skill claims monitoring behavior. That inconsistency increases the likelihood of deceptive packaging and reduces a user's ability to make informed trust decisions about what the skill actually does.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The monitor writes detection results to a fixed persistent filesystem path under /root, without user consent, path validation, or storage controls. This creates unintended local data retention and can expose sensitive monitoring activity, addresses, and transaction history to other processes or future sessions on the same host.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code hardcodes a live SkillPay API key and uses it in outbound verification requests and payment-link generation. Hardcoded secrets in distributable skill code can be extracted and abused to impersonate the service, verify or create billing-related operations, and potentially access payment-provider resources outside intended control.

Missing User Warnings

High
Confidence
99% confidence
Finding
This Markdown file discloses a sensitive credential without masking, redaction, or any warning that it is secret material. Even if intended for internal delivery, such documentation is commonly shared, indexed, or published, turning the file into a direct secret-leak vector that can enable unauthorized access to the payment integration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The deployment guide explicitly instructs the user to copy login credentials back to the server and also promotes uploading an archive of the local workspace, but it provides no warning about token sensitivity, least-privilege handling, redaction, or verifying archive contents before upload. This creates a realistic risk of credential leakage or accidental disclosure of unrelated local files, especially because deployment instructions are often followed verbatim by less experienced users.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file contains plaintext login credentials for a third-party deployment account, which is a real secret exposure. Anyone with access to this document can log into the referenced service, upload or modify assets, view account data, or abuse the account, making this significantly dangerous in a deployment context.

Missing User Warnings

High
Confidence
98% confidence
Finding
Publishing a live API key in docs without any warning or secure-handling guidance materially increases the chance that users will copy insecure practices and that third parties will misuse the credential. In this skill's context, the key is tied to payment verification and link generation, so compromise could affect billing integrity and trust in the monitoring service.

Missing User Warnings

High
Confidence
99% confidence
Finding
Publishing an unredacted API key in a configuration example is a direct secret disclosure, not merely poor documentation style. Because the skill explicitly integrates with SkillPay.me for per-call billing, misuse of this credential could affect payment verification, payment-link generation, and downstream financial trust in the service.

Missing User Warnings

High
Confidence
99% confidence
Finding
The summary exposes a live-looking secret API key directly in documentation, which is a real credential-handling vulnerability. If the key is valid, anyone who reads the file could abuse the payment account, generate fraudulent requests, consume quota, inspect account-linked data, or cause financial loss; in a monetized skill context this is especially dangerous because the credential appears tied to billing infrastructure.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill documents webhook delivery of monitoring data, including addresses, token information, timestamps, and transaction details, but does not clearly warn users that this data will be transmitted to third-party endpoints under their control. Without privacy guidance, authentication, signature verification, or transport/security requirements, users may unintentionally leak sensitive monitoring intelligence or accept spoofed webhook traffic.

Missing User Warnings

High
Confidence
99% confidence
Finding
Hardcoded email and password values are embedded directly in source and transmitted during login. Anyone with access to the file can recover the credentials, log into the associated service account, and potentially upload, modify, or manage skills under that identity.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script reads a local ZIP from disk and uploads it to a remote service without any consent gate, safety notice, or validation of what the archive contains. In the context of a user-facing skill, undeclared exfiltration of local content is risky because it normalizes silent data transmission beyond the advertised monitoring purpose.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
A hardcoded BSCScan API key is embedded directly in source code and exported via module.exports, making secret exposure likely through source distribution, logs, reuse, or downstream imports. Even if the key is only for third-party API access, credential leakage can lead to quota exhaustion, service abuse, account attribution issues, and difficulty rotating compromised credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persistently logs detection data to disk without explicit disclosure, consent, retention policy, or access controls. Because the logged data includes monitored wallet addresses, token details, transaction hashes, and inferred developer addresses, it creates a privacy and operational exposure if the filesystem is shared, backed up, or later accessed by unauthorized parties.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function generates a third-party payment URL containing sensitive billing metadata, including a hardcoded payment API key, user identifier, and callback URL, and sends users to external payment infrastructure without any visible consent flow or minimization. Embedding the secret in client-reachable code is especially dangerous because anyone with code access can extract and abuse it to impersonate the service or create fraudulent payment requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Payment verification uses the hardcoded Skillpay bearer secret to call an external API. If this skill code is exposed to users, other services, or an untrusted runtime, the credential can be stolen and used to query or manipulate billing-related operations, creating account abuse and financial risk; the lack of visible disclosure also means users are not informed that billing data is being sent to a third party.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Webhook notifications are sent to arbitrary user-supplied URLs with monitoring and billing data, creating a server-side request forgery and data-exfiltration risk. An attacker can direct requests to internal or sensitive network endpoints, or capture operational and user data without meaningful validation or disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal