ClawHub

NFT Skill - Autonomous AI Artist Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for NFT automation, but it gives an agent wallet-signing, marketplace, IPFS, LLM, and X posting authority without clear human approval gates.

Install only with a dedicated low-value wallet, testnet first, and X/Pinata/API keys scoped to this project. Review every mint, listing, approval-for-all, and tweet before execution, and avoid giving the agent mainnet funds or valuable NFTs unless you have external spending and posting controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The package metadata describes the project as a standalone procedural art generator, but the scripts and dependencies clearly add blockchain deployment, NFT minting, and Twitter/X promotion capabilities. This mismatch can mislead reviewers and users about the skill's real privilege and network surface, increasing the risk of unintended wallet, contract deployment, or social-posting actions in an autonomous agent context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly describes an autonomous workflow that can generate art, mint NFTs on-chain, list them for sale, and post to X without an explicit warning that these actions create real financial transactions and use external accounts. In the context of an agent skill, that omission is dangerous because an integrator may enable the skill without understanding it can spend funds, publish content, and create irreversible blockchain state changes.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases are broad and include common terms like "NFT," "mint," "AI art," and "digital art," which can cause the skill to activate in conversations that are only informational or exploratory. Because this skill performs financially and publicly consequential actions, accidental invocation could escalate into unwanted blockchain transactions, listings, monitoring loops, or public posts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill can post to X/Twitter using configured credentials, but the documentation does not prominently warn that this creates immediate public output under the user's account. In an autonomous workflow, that omission makes accidental reputational harm, spam, or disclosure of sensitive project details more likely.

Missing User Warnings

High
Confidence
95% confidence
Finding
The mint and list workflows initiate real blockchain transactions on Base, which are typically irreversible and may spend funds, consume gas, transfer assets, or expose NFTs for sale. The skill describes these operations as routine commands without a prominent transactional risk warning or mandatory confirmation, which is especially dangerous in an autonomous agent context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code sends prompts and contextual data to third-party LLM providers (Groq and OpenRouter, and optionally a local/remote Ollama endpoint) without any visible consent, disclosure, or minimization mechanism in this component. In an NFT agent context, prompts and metadata may include user-supplied content, account-related details, campaign plans, or other sensitive information that is unnecessarily exposed to external services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill loads a blockchain private key from either a file path in an environment variable or directly from an environment variable and then uses it to sign on-chain transactions, but there is no user-facing disclosure, consent, or scope limitation around that credential use. In an autonomous NFT-minting skill, this is especially dangerous because invoking the skill can directly spend funds and perform irreversible blockchain actions with the operator's wallet.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The function automatically uploads generated images and NFT metadata to Pinata/IPFS without any visible consent, confirmation, or disclosure in this code path. Because NFT metadata and artwork are typically intended for public, immutable distribution, silently transmitting content to a third party can expose user-generated or model-generated content before the user understands it will be published externally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill loads a blockchain private key from either an environment variable or an arbitrary file path and immediately uses it to create a signing wallet, without any user-facing disclosure, confirmation, or scope limitation. In an autonomous NFT agent, this is security-sensitive because any invocation of the skill can trigger real on-chain actions using custodial credentials, and reading from a file path in an environment variable expands secret-exposure risk if the runtime is misconfigured or compromised.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code calls setApprovalForAll on the NFT contract to authorize the marketplace for all of the wallet's NFTs, and does so automatically when approval is missing. This is dangerous because approval-for-all is a broad, persistent permission: if the marketplace contract is malicious, upgraded unexpectedly, misconfigured, or later exploited, every NFT held by the wallet could be transferred without further approval.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code sends prompt content derived from user/context data to third-party LLM providers without any visible consent, minimization, or disclosure controls. In an NFT agent, context and metadata may contain user-provided text, wallet-related context, campaign details, or other sensitive business data that is then transmitted off-platform to Groq/OpenRouter or a configured Ollama endpoint.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill directly loads a blockchain private key from an environment variable or an arbitrary file path and then uses it to sign transactions, but provides no consent, disclosure, or safety boundary to the user. In the context of an autonomous NFT-minting agent, this is especially dangerous because the key controls on-chain assets and can be used to spend funds or mint/list assets without meaningful user awareness, making accidental or unauthorized financial actions more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This function posts arbitrary caller-supplied text directly to X without any approval gate, policy check, or provenance validation. In an autonomous agent that can generate and promote NFT content, this creates a real risk of unauthorized public posts, reputation damage, spam, scams, or social-engineering content being published under the account if upstream inputs are manipulated.

Ssd 3

Medium
Confidence
97% confidence
Finding
The function embeds `metadata` directly into the prompt via `JSON.stringify(metadata)`, causing all included fields to be transmitted verbatim to the LLM provider. If metadata contains wallet info, private campaign details, internal IDs, user messages, or other sensitive content, this creates avoidable data leakage to an external model service and can also amplify prompt-injection-like manipulation of the generated output.

Ssd 3

Medium
Confidence
91% confidence
Finding
`generateTweetText` embeds `metadata` wholesale into the prompt via `JSON.stringify(metadata)`, which can cause sensitive or unnecessary user-supplied fields to be sent to the model and potentially echoed in the generated tweet. In this skill's context, that is more dangerous because the output is intended for public posting, increasing the chance of accidental disclosure of internal notes, identifiers, or private campaign data.

External Transmission

Medium
Category
Data Exfiltration
Content
const form = new FormData();
    form.append('file', fs.createReadStream(filePath));
    
    const res = await axios.post('https://api.pinata.cloud/pinning/pinFileToIPFS', form, {
      headers: {
        ...form.getHeaders(),
        pinata_api_key: process.env.PINATA_API_KEY!,
Confidence
88% confidence
Finding
https://api.pinata.cloud/

External Transmission

Medium
Category
Data Exfiltration
Content
async function uploadMetadataToIPFS(metadata: any): Promise<string> {
  try {
    const res = await axios.post('https://api.pinata.cloud/pinning/pinJSONToIPFS', metadata, {
      headers: {
        pinata_api_key: process.env.PINATA_API_KEY!,
        pinata_secret_api_key: process.env.PINATA_SECRET!
Confidence
87% confidence
Finding
https://api.pinata.cloud/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## OpenClaw Integration

This skill includes `SKILL.md` with OpenClaw-compatible metadata (`metadata.openclaw`), env vars, and install steps. When used as an OpenClaw skill, agents autonomously run the generate → mint → list → tweet → monitor → evolve cycle.

See `SKILL.md` for detailed tool parameters, error handling, and environment variable reference.
Confidence
96% confidence
Finding
autonomously run

Known Vulnerable Dependency: axios==1.6.2 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-25639 (Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
axios==1.6.2

Known Vulnerable Dependency: @openzeppelin/contracts==5.0.0 — 1 advisory(ies): CVE-2024-27094 (OpenZeppelin Contracts base64 encoding may read from potentially dirty memory)

Low
Category
Supply Chain
Confidence
74% confidence
Finding
@openzeppelin/contracts==5.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal