ClawHub

metabot

Security checks across malware telemetry and agentic risk

Overview

This skill broadly matches its stated MetaBot purpose, but it stores wallet seed phrases and API keys in plaintext and can publish irreversible blockchain actions without strong confirmation controls.

Install only if you are comfortable with this skill creating blockchain wallets, storing seed phrases and possible LLM API keys in plaintext account.json, and posting data to public blockchain/network services. Use a dedicated low-value wallet, keep account.json out of source control and shared folders, review the exact account and Buzz/avatar content before running commands, and avoid using @file or avatar paths for sensitive local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises executable behavior involving environment access and network operations but does not declare corresponding permissions. This weakens user consent and platform policy enforcement because the agent may read local configuration and communicate externally without an explicit trust boundary being presented to the user.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose materially understates the skill's apparent capabilities: wallet generation, sensitive credential storage, .env ingestion, transaction signing/broadcasting, and arbitrary local file reads are far more powerful than simple bot creation and posting. This mismatch can mislead users and downstream agents into approving actions with financial, privacy, and system impact they did not meaningfully consent to.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The generic HttpRequest wrapper introduces a reusable arbitrary network access primitive that exceeds the stated purpose of creating MetaBots, setting avatars, and sending Buzz/on-chain messages. In an agent-skill context, such a primitive can be repurposed by other modules to exfiltrate wallet-derived data or contact unvetted endpoints without narrow allowlisting.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The HttpRequest class accepts arbitrary URLs and headers and will send attacker-controlled data to any destination when invoked, creating an outbound request gadget. In a skill that may process untrusted prompts or parameters, this can enable SSRF-like behavior, data exfiltration, and bypass of expected trust boundaries.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
`loadAvatarFromFilePath` accepts an arbitrary user-supplied local path, resolves it, and reads the file if it merely exists and has an allowed image extension. This expands the skill from handling only packaged avatar assets to accessing arbitrary local files on the host, which can expose sensitive user files or other local data if an attacker can influence the path or trick a user into supplying one.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation performs security-sensitive actions beyond the declared skill scope: it generates wallets, persists mnemonics locally, and automatically claims blockchain rewards/subsidies. In an agent setting, hidden wallet creation and automated on-chain actions can cause users to unknowingly create custodial secrets and trigger transactions they did not clearly consent to.

Description-Behavior Mismatch

Low
Confidence
74% confidence
Finding
The code mutates stored account profile data based on prompt-parsed input, which exceeds the narrow avatar-setting description in the skill metadata. While lower impact than seed handling, undocumented profile mutation can lead to unintended persistent account changes and increases the gap between user expectations and actual behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Creating a MetaBot generates highly sensitive credentials and stores them in account.json at the project root, but the documentation does not prominently warn users about this secret material handling. Users may unknowingly create recoverable wallets whose mnemonics are left in plaintext on disk, exposing them to theft if the workspace is shared, synced, or later compromised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documentation does not clearly warn that Buzz content is transmitted to the default MVC network, which may be public, persistent, and difficult to remove. Users may provide sensitive, regulated, or personal information believing this is a local or reversible action, causing unintended disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The execution guidance instructs the agent to run commands and potentially auto-install dependencies, which can modify the system and execute unreviewed package scripts without a clear safety warning. In an agent setting, this increases the risk of supply-chain compromise, unexpected filesystem changes, and privilege misuse if users approve actions without understanding the consequences.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly instructs users to store highly sensitive secrets, including wallet mnemonics and LLM API keys, in a shared plaintext `account.json` at the project root. In the context of an agent skill that manages blockchain identities and on-chain actions, this creates a serious risk of credential theft through source control leaks, local compromise, backup exposure, or accidental sharing, and the lack of an explicit warning or safer storage guidance makes misuse more likely.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The documented extraction patterns are broad natural-language phrases that can cause the agent to infer a send-buzz action from loosely phrased user input. In a skill that can post on-chain messages, this increases the risk of unintended transaction creation, accidental fund expenditure, and user messages being irreversibly published without sufficiently explicit consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
These functions transmit blockchain addresses and, in one case, signature-derived authentication headers to third-party services, but the code provides no built-in notice, consent checkpoint, or minimization controls. In a wallet/agent setting, silent transmission of identifiers and proof-of-control metadata can leak user activity and enable privacy loss across services.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
broadcastTx submits raw signed transactions to a remote API without any confirmation or policy guard in this code path. If this function is reached through an automated or prompt-driven workflow, users could unintentionally broadcast irreversible transactions to the blockchain.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The generic client sends arbitrary payloads to remote URLs with no built-in disclosure, safety interstitial, or data classification. In an agent environment, this increases the chance that sensitive prompt, wallet, or identity data is transmitted off-platform without the user understanding where it is going.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script generates a new wallet mnemonic and immediately persists it, along with API keys/LLM config, into account storage without any explicit warning, encryption, or consent flow. Storing wallet seed phrases in plaintext local files creates a high-risk secret exposure path: any local compromise, accidental commit, backup leak, or multi-user system access can fully compromise the created agents and their funds/identity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code derives a wallet from a mnemonic, fetches UTXOs, signs transactions, and broadcasts them without any in-file enforcement of explicit user confirmation, transaction preview, destination verification, or spend limits. In an agent skill context, that is dangerous because a higher-level caller could trigger irreversible on-chain spends using a seed phrase, and the lack of built-in safeguards makes accidental or unauthorized fund movement much easier.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code writes the mnemonic and associated wallet details to persistent storage without explicit warning, consent, or protection. A mnemonic is the master secret for blockchain assets; if the account file is exposed through local compromise, backup leakage, logs, or other tooling, an attacker can fully take over the wallet and steal funds or identity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The function broadcasts signed transactions immediately via broadcastTx unless noBroadcast is set, with no built-in user confirmation, preview, or explicit disclosure in this file. In an agent skill that can create on-chain actions and spend wallet funds, silent broadcasting is risky because a caller can trigger irreversible network-side effects and fees without a clear consent checkpoint.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module reads a raw mnemonic from account.json and makes it available for downstream signing operations without any visible consent, access control, or secure-storage boundary in this code. In an agent skill context, this is dangerous because any unintended invocation path can turn a locally stored seed phrase into active signing authority over wallet funds.

Missing User Warnings

High
Confidence
97% confidence
Finding
This function derives private keys from the mnemonic and signs arbitrary transaction data provided in parameters, with no visible policy checks, origin validation, transaction review, or user confirmation. In an agent skill, that creates a direct path for unauthorized fund movement if another component can supply crafted txHex/scriptHex values or trigger signing implicitly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal