ClawHub

Sona Agentic Wallet

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local SONA wallet adapter, but it gives an agent authenticated control over wallet actions with limited built-in confirmation safeguards.

Install only if you intentionally want an agent to control a SONA wallet. Use devnet or a low-value wallet first, keep SONA_TOKEN secret, prefer standard or assisted mode, review pending action details yourself before approval, and unset or rotate the token when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises environment-variable and network-dependent behavior, including authenticated wallet operations, but does not declare corresponding permissions. This weakens transparency and consent for users and host systems, making it easier to deploy a wallet-capable skill without clear disclosure of its effective capabilities.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly documents authenticated, state-changing wallet capabilities such as transfers, chat-driven commands, mode switching, and approvals, but does not prominently warn users that these actions can move funds or alter wallet security posture. In a wallet-agent context, that omission increases the chance of unsafe deployment or accidental financial loss because operators may treat the tools as ordinary assistant functions rather than privileged financial controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes transfer, approval, mode-switching, and chat-driven wallet actions but does not prominently warn that these operations can move funds or authorize fund movement. In a wallet skill, missing risk disclosure is especially dangerous because users may invoke state-changing tools conversationally without appreciating that real assets can be spent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation instructs users to obtain and export a session token but does not clearly label it as a sensitive credential whose disclosure enables authenticated wallet actions. Because the token authorizes transfers, approvals, chat commands, and mode changes, leakage could let an attacker control wallet behavior within configured limits.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The plugin reads a session JWT from the environment and automatically attaches it as a cookie for authenticated requests, but the execution paths do not surface a clear runtime disclosure that a privileged credential will be used. In an agent-skill context, this matters because upstream agents may invoke tools like chat, set_mode, or approve_action without a user realizing authenticated wallet-affecting operations are occurring under an existing session.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
consumeChatStream sends authenticated requests to /api/chat, and the chat endpoint is described as able to reason, plan, and execute wallet actions. Because the tool accepts arbitrary natural-language input and immediately forwards it under the authenticated session, an agent or prompt injection chain could trigger transfers, swaps, or policy changes without a distinct user-visible authorization step at the point of use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
approve_action performs a state-changing approval of queued actions using the authenticated session, yet the code path provides no additional confirmation beyond receiving a cycle_id. In assisted-mode wallet workflows, approving a pending action is a privileged authorization step that can directly lead to fund movement or other sensitive execution on the next cycle.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal