ClawHub

Unclaimed SOL Scanner

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Solana wallet scanner that clearly discloses sending a public wallet address to unclaimedsol.com before use.

Install only if you are comfortable sharing a public Solana wallet address with unclaimedsol.com for analysis. Do not provide seed phrases or private keys, and review any wallet transaction carefully if you later visit the website to claim funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes a shell script (`bash {baseDir}/scripts/scan.sh <wallet_address>`) but does not declare corresponding permissions. Undeclared execution capability weakens transparency and policy enforcement, making it easier for a skill to perform external actions reviewers or runtime controls may not expect, especially when it also sends user data to a third-party API.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script transmits the user-supplied Solana wallet address to a third-party service without any explicit disclosure, consent, or local-only alternative. Wallet addresses are sensitive financial metadata: sending them to an external domain enables tracking, profiling, and correlation of a user's holdings or activity, which is especially risky in a wallet-scanning skill whose purpose is to inspect financial accounts.

External Transmission

Medium
Category
Data Exfiltration
Content
exit 1
fi

RESPONSE=$(curl -s -f -X POST "$API_URL" \
  -H "Content-Type: application/json" \
  -d "{\"publicKey\": \"$WALLET\"}" \
  --max-time 15 2>/dev/null) || {
Confidence
96% confidence
Finding
curl -s -f -X POST "$API_URL" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal