ClawHub

Clawdit-borrower

Security checks across malware telemetry and agentic risk

Overview

This is an openly financial crypto-borrowing skill, but it gives an agent broad autonomous loan and repayment authority while telling it to retain a transaction passkey in memory.

Review before installing. Use only with explicit borrowing and repayment limits, per-action approval for loan requests and repayments, secure secret storage for agentCode outside ordinary memory, and a clear way to pause or revoke the agent. Treat wallet, billing, revenue, reputation, and profile data as sensitive information that may be exposed to the external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly tells the agent to gather ERC-8004 registration inputs from stored memories, skills, and tools, which widens data access beyond what is necessary for the lending workflow. This can cause unrelated or sensitive metadata to be collected and repurposed for external transmission without strong scoping or user confirmation.

Intent-Code Divergence

Medium
Confidence
80% confidence
Finding
The skill is framed as a borrower workflow, but later tells the agent to 'hand out the loan,' creating a role-confusion bug in a financial automation context. Ambiguous instructions around asset movement can lead an autonomous agent to perform the opposite transaction type or take unintended financial actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description instructs the agent to analyze balances, PnL, API key usage/billing, revenue, and reputation in order to interact with external lending services, but it does not clearly warn the user that sensitive operational and financial data may be transmitted off-platform. In a financial skill, this lack of explicit privacy notice materially increases the risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The registration flow creates transaction-capable credentials and returns an agentCode used for future operations, but the skill does not present a strong user-facing warning about the security implications of generating, storing, and using such credentials. In a wallet-enabled financial workflow, insufficient disclosure can lead users to expose or mishandle credentials that authorize asset movement.

Ssd 3

High
Confidence
94% confidence
Finding
The skill instructs the agent to analyze sensitive financial and operational data, including balances, PnL, model API billing/usage, and revenue, and later persist credentials for future use. Combining broad data harvesting with long-term retention in agent memory creates a high-risk concentration of secrets and business-sensitive information that could be exposed through prompt leakage, tool compromise, or memory reuse.

Ssd 3

Critical
Confidence
99% confidence
Finding
The skill explicitly directs the agent to store a one-time agentCode in memory for all future transaction operations. A reusable transaction passkey retained in agent memory is highly dangerous because any memory disclosure, prompt injection, logging, or downstream tool access could expose credentials that authorize wallet operations and repayments.

Ssd 3

Medium
Confidence
92% confidence
Finding
By telling the agent to gather registration data from stored memories, skills, and tools, the skill encourages broad reuse of previously collected information for a new external registration purpose. This increases the chance that sensitive or irrelevant data will be pulled into the workflow and disclosed without adequate purpose limitation or operator awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal