ClawHub

FiberAgent

Security checks across malware telemetry and agentic risk

Overview

FiberAgent is a coherent shopping cashback skill, but its tracked affiliate links and wallet rewards mean shopping activity can be tied to an agent wallet.

Install only if you want shopping searches and cashback handled through FiberAgent. Treat returned links as tracked affiliate links, use a dedicated wallet if privacy matters, never provide seed phrases or private keys, and make sure end users understand that purchases through these links may be attributed for crypto rewards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly promotes returning tracked affiliate URLs and registering agent wallet addresses for cashback, but it does not disclose the privacy, tracking, or financial attribution implications to end users. In an agent setting, users may click links or provide shopping queries without understanding that purchases may be attributed to the agent and that wallet-linked rewards create a monetized tracking relationship.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs agents to return affiliate tracking links and emphasizes wallet-linked crypto rewards, but it does not warn that clicks and purchases may be tracked across merchants and tied to an agent wallet. This creates a meaningful privacy risk because users may not realize their shopping activity can be correlated with affiliate identifiers and blockchain-linked reward flows.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The registration section tells operators to submit a wallet address and states that purchases build an on-chain reputation score, but it omits a warning that wallet identifiers are personal pseudonymous data that can be permanently linked to future rewards and activity. Because blockchain records are durable and publicly analyzable, users or operators may expose more identity and behavioral data than they expect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill sends user-provided identifiers such as search terms and agent_id to an external third-party service without any visible consent, disclosure, or minimization. In an agent ecosystem, users may not realize their wallet-linked identity or agent identifier is being transmitted off-platform, creating privacy and tracking risk even if the transport uses HTTPS.

Missing User Warnings

High
Confidence
95% confidence
Finding
The registration function posts wallet_address, agent name, and crypto preference to an external service without any in-code indication of user notice, consent, or verification of how that data will be handled. Because wallet addresses are persistent identifiers tied to financial activity, this can expose users to deanonymization, profiling, and misuse if the third-party service is untrusted or compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal