ClawHub

Crypto Wallet

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill claims it can send cryptocurrency, but the artifacts do not clearly define how wallet access, signing, limits, or approvals are safely controlled.

Install only if you are comfortable treating this as a high-risk financial tool. Never share seed phrases or private keys, require manual review of every transaction, and use a wallet that asks you to approve each send outside the agent.

SkillSpector

By NVIDIA

SkillSpector has not run for this release. Legacy ClawScan findings remain available under Risk analysis.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
High
What this means

A mistaken or poorly reviewed transaction could move funds to the wrong address or chain.

Why it was flagged

The skill authorizes the agent to perform cryptocurrency transfers, which are high-impact and often irreversible, but does not specify a safe transaction-construction and approval workflow beyond a generic confirmation requirement.

Skill content
- Send tokens (with confirmation) ... "Send 0.1 ETH to 0x..."
Recommendation

Use only with explicit, user-reviewed transaction previews that include chain, asset, amount, recipient, fees, and final confirmation; do not allow autonomous sends.

#
ASI03: Identity and Privilege Abuse
High
What this means

Unclear wallet-access handling could put private keys, seed phrases, or signing authority at risk if the agent asks for or uses them unsafely.

Why it was flagged

The instructions imply access to wallet signing authority or private-key-adjacent material, but the artifacts do not declare what credentials, wallet provider, or permission boundary will be used.

Skill content
1. **ALWAYS** confirm before sending transactions
2. **NEVER** expose private keys
Recommendation

Do not provide seed phrases or raw private keys; require a scoped wallet provider or hardware-wallet flow with clear per-transaction approval.