ClawHub

NexusWeb3 Safety & Compliance

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only blockchain reference with risky transaction examples, but it contains no executable code, credentials, persistence, or automatic wallet access.

Install only as a reference. Do not let an agent use these examples to approve USDC, submit KYA data, post bounties, trigger kill switches, declare insolvency, or move treasury funds unless you intentionally use a trusted wallet-signing setup and review the exact transaction, fees, permanence, and privacy impact first.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is marketed as a read-only API reference, but it includes concrete state-changing transaction flows such as registering agents, submitting KYA, posting bounties, purchasing licenses, and declaring insolvency. This mismatch can mislead users or downstream agents into treating the skill as low-risk and non-transactional, increasing the chance of unintended on-chain writes, approvals, fee payments, or fund movement.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file explicitly tells users to use a different skill for write operations, yet immediately provides detailed write instructions for many protocols in this same skill. That contradiction undermines security boundaries between skills and can cause an agent or user to execute privileged or fund-moving actions from a skill they believed was informational only.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal