ClawHub
Back to skill

Security audit

Web3 Ops

Security checks across malware telemetry and agentic risk

Overview

This Web3 skill does what it advertises, but it gives an agent direct wallet-signing power while overstating its safety controls and storing/exposing wallet secrets in risky ways.

Install only if you intend to run a local hot-wallet automation tool and can keep its wallet low-value. Do not use a primary wallet or seed phrase, review every transaction outside the agent before broadcast, avoid MCP exposure to untrusted prompts, and treat .env plus command output/logs as full wallet-control material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README makes a security assurance that the skill never stores or accesses mnemonics/seed phrases during operations, yet elsewhere documents a `create-wallet` flow that generates a mnemonic and instructs the user to record it. In a wallet-managing skill, misleading claims about seed phrase handling are dangerous because users may trust the tool with higher-value wallets under false assumptions about secret exposure and persistence.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README claims private keys are handled only in volatile memory and are not persisted, but the documented `create-wallet` command writes `PRIVATE_KEY` and `MNEMONIC` to `.env`. This contradiction understates actual secret persistence risk; in an AI-integrated Web3 skill, local plaintext credential storage materially increases the chance of theft through local compromise, backup leakage, or accidental disclosure.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill claims a strict human-in-the-loop safety model, but the documented behavior explicitly instructs the agent to translate natural-language requests into executable blockchain commands for transfers, swaps, bridging, minting, and raw transactions. That mismatch is dangerous because it can lead operators or downstream agents to overtrust the safety posture while enabling irreversible financial actions with a configured private key.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This helper constructs a signing wallet from PRIVATE_KEY or MNEMONIC loaded from the local .env, giving a shared utility module direct access to highly sensitive credentials and transaction-signing capability. In an agent skill context, centralizing secret loading and signer creation in a common module increases blast radius: any command importing this helper can silently gain authority to spend funds or sign transactions.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The module performs dynamic outbound requests to chainid.network to fetch alternative RPC endpoints and then probes arbitrary returned URLs, expanding network access beyond the statically defined list. In a security-sensitive agent environment, this creates a trust-boundary issue because remote infrastructure can influence where blockchain traffic is sent, exposing metadata and potentially routing requests through malicious or unreliable endpoints.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The wallet creation routine does more than save credentials to a local .env file: it also prints the generated private key and mnemonic to the terminal and includes them in JSON output. In an agent/skill context, stdout is often captured by orchestrators, logs, chat transcripts, CI systems, or other tools, so this behavior can directly leak full wallet control material to unintended parties.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The code deliberately obscures use of child_process by constructing the module name dynamically and explicitly states this is to bypass static scanners. In an installer, hidden process execution is especially dangerous because it reduces reviewability and can conceal arbitrary command execution during installation.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code deliberately constructs and dynamically imports child_process to evade static scanners, and the comment explicitly states that goal. Even if the subprocess use itself is not directly exploitable here, scanner-evasion behavior is a strong supply-chain red flag because it hides sensitive capability from reviewers and can mask later abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill exposes many irreversible on-chain operations, including transfers, swaps, bridges, NFT minting, and raw transactions, without a prominent general warning about transaction finality, asset loss, slippage, approval risk, bridge risk, or interacting with malicious contracts. In a wallet-enabled agent context, missing these warnings increases the chance that users authorize destructive or unrecoverable actions under false assumptions of reversibility or safety.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code reads wallet credentials from environment variables and immediately uses them to instantiate a signer without any disclosure or local safeguards in this module. For an agent skill, undisclosed secret use is dangerous because operators may not realize that importing a utility can activate custody over real funds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function submits a live blockchain transaction that can transfer user funds and invoke arbitrary contract logic without any explicit confirmation or allowlist check at the point of execution. Because the skill can auto-detect a function from untrusted external ABI data and defaults to making the call directly, a user or upstream agent could trigger unintended paid interactions with a malicious or incorrect contract.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When a price trigger is hit, the code automatically calls swapOrBridge with live trade parameters and no final confirmation, dry-run mode, or explicit opt-in for autonomous execution. In an agent setting, this is dangerous because a misconfigured threshold, manipulated price feed, or accidental invocation can cause irreversible asset sales without the user approving the exact trade at execution time.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The function sends the user's wallet address and token context to third-party explorer APIs, which leaks portfolio-interest metadata and ties the queried asset to the user's address. In a wallet-analysis skill, this is somewhat expected behavior, but the lack of an explicit warning or consent at the call site can expose sensitive financial privacy to external services without the user's awareness.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Uniswap V3 swap sets `amountOutMinimum: 0`, which disables slippage protection entirely. In an on-chain swap context, this allows execution at arbitrarily poor rates and makes the transaction highly susceptible to sandwich attacks, MEV exploitation, or routing into thin liquidity, potentially causing severe user fund loss.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The PancakeSwap V3 swap also hardcodes `amountOutMinimum: 0`, eliminating all slippage bounds. Because this skill directly submits live swap transactions, an attacker or adverse market movement can cause the user to receive far less than expected, leading to substantial financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function performs highly sensitive actions—writing a new private key and mnemonic into .env and exposing them in console/JSON output—without a safety confirmation barrier before the secret write/exposure occurs. In agent environments, users may invoke this indirectly, and the resulting credential disclosure can lead to immediate theft of any assets sent to the wallet.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The installer instructs users to place a wallet PRIVATE_KEY into a local .env file without presenting safer options such as hardware wallets, delegated signing, environment injection by the runtime, or explicit warnings about hot-wallet risk. In a Web3 operations skill, encouraging raw private key storage materially increases the chance of credential compromise and financial loss.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The CLI exposes a `create-wallet` command that generates a wallet and stores credentials directly into a `.env` file, but the user-facing interface shown here provides no warning, confirmation, or guidance about secret sensitivity. In an agent-skill context, writing private keys or mnemonics to a local config file is dangerous because those files are often logged, committed, synced, or read by other tools, increasing the chance of credential leakage and total wallet compromise.

Missing User Warnings

High
Confidence
97% confidence
Finding
This skill exposes high-risk financial actions such as transfer, swap, bridge, mint_nft, and custom_tx directly as callable tools, with no confirmation, policy gate, recipient validation, spending limits, or human approval step in this file. In an agent context, that is dangerous because a prompt-injected or mistaken model could trigger irreversible on-chain transactions that move funds or interact with malicious contracts.

Ssd 2

Medium
Confidence
98% confidence
Finding
The comment normalizes and justifies bypassing static analysis, which is an adversarial indicator in security-sensitive code. In a wallet-operating MCP server, deliberately hiding use of child_process increases the chance that dangerous capabilities evade review and makes the overall skill context more suspicious.

Credential Access

High
Category
Privilege Escalation
Content
newEnvContent = setEnvVar(newEnvContent, "PRIVATE_KEY", pkLine);
    newEnvContent = setEnvVar(newEnvContent, "MNEMONIC", mnemonicLine);

    // Write to .env
    fs.writeFileSync(envPath, newEnvContent, { mode: 0o600 });

    if (!options.json) {
Confidence
87% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
program
  .command("create-wallet")
  .description("Generate a random EVM wallet and configure its credentials in the .env file")
  .option("--force", "Force overwrite of existing PRIVATE_KEY or MNEMONIC in .env", false)
  .action((options) => {
    createNewWallet(getMergedOpts(options));
  });
Confidence
89% confidence
Finding
.env"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal (+1 more)

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bin/install.js:112

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
mcp-server.js:203

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
actions/common.js:57

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
actions/mintNft.js:71

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
actions/pnl.js:80

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
actions/wallet.js:145

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
actions/whales.js:52

Instructions pass high-value credentials through process argv.

Critical
Code
suspicious.secret_argv_exposure
Location
SKILL.md:36