ClawHub

Opensea Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it needs Review because some read-only-labeled areas include transaction-building, auth-state, and transfer/deploy capabilities while live wallet actions are not consistently warned or gated.

Install only if you intend to let an agent work with OpenSea and understand that configured wallet credentials can enable real purchases, swaps, transfers, signatures, and onchain transactions. Prefer quote/read-only commands first, verify chain, token/NFT, recipient, spender, value, slippage, and order hash before any signing step, and use managed wallet providers with spending caps and allowlists. Avoid raw private keys, avoid shared machines for cached API keys or auth tokens, and review the API sub-skill carefully because it contains more than passive read-only lookup helpers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
79% confidence
Finding
The skill claims broad coverage across CLI, MCP server, shell scripts, SDK, wallet configuration, and AI tool building, but this router file only dispatches to sub-skills and appears to overstate the implemented surface. In security-sensitive contexts involving NFT trades, token swaps, and wallet signing, overstated capabilities can mislead agents and operators into trusting unsupported flows, using the wrong sub-skill, or assuming safeguards exist when they do not.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill is explicitly positioned as read-only, but it also documents state-changing capabilities such as metadata refresh, mint transaction building, authentication flows, and generic POST access. This scope mismatch can mislead an agent or operator into invoking write-capable functionality under the assumption that the skill is non-destructive, increasing the chance of unintended privileged actions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Including contract deployment and asset-transfer capabilities in an API-querying skill materially expands the blast radius beyond passive data access. An agent selecting this skill for informational tasks could be exposed to transaction-building paths that facilitate wallet-affecting or on-chain state-changing actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Authentication lifecycle commands such as login, refresh, revoke, token listing, and clear are not read-only data access operations and alter local or remote auth state. Presenting them inside a read-only skill increases confusion around privilege level and can lead to accidental token issuance, revocation, or session manipulation.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file states that credentials must only be set via environment variables, yet elsewhere instructs users to persist API keys on disk and exposes commands that manage stored tokens. This contradiction can cause unsafe operator assumptions about where secrets reside, leading to accidental exposure, backup leakage, or mishandling on shared systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises NFT trading, token swaps, and wallet-signing flows without any prominent warning that these actions can move funds, grant approvals, or trigger irreversible onchain transactions. In an agent-skill context, omission of safety guidance increases the chance that an agent or operator treats these capabilities as routine data operations and initiates financially risky actions without explicit confirmation or risk awareness.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation encourages fetching and saving an API key locally but does not prominently warn about the implications of storing credentials on disk, especially on multi-user hosts, synced home directories, or ephemeral/shared agent environments. Even with mode 600, local persistence can broaden exposure through backups, process access patterns, or misconfigured homes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script embeds the OpenSea API key directly in the WebSocket URL query string, which increases the chance the secret is exposed through shell history, process listings, terminal logs, proxy logs, or debugging output. Although this may be required by the upstream API design, the lack of an explicit warning or mitigation guidance makes accidental credential disclosure more likely in real-world use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This documentation walks users through building, signing, and submitting NFT marketplace and onchain transactions, including buying, selling, offering, and fulfilling orders, but it does not prominently warn that these actions can irreversibly transfer digital assets or funds. In a wallet-integrated agent context, omission of explicit financial-risk and confirmation guidance can lead users to approve high-impact transactions without understanding consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document gives step-by-step instructions and code to submit a live Seaport transaction that spends ETH to buy an NFT, but it does not explicitly warn that on-chain transactions are irreversible and may transfer real funds. In an agent-skill context, this increases the risk that an automated or inattentive user executes a purchase without understanding the financial consequences.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The file instructs users to provide Privy credentials via environment variables but does not include guidance that these are sensitive secrets which must not be logged, committed, or exposed to untrusted tools. In a skill meant to be used by agents and scripts, omission of secret-handling guidance can lead to credential leakage or misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation presents `opensea swaps execute` as the recommended path and states it 'quotes and executes in one step' with Privy-managed signing, but it does not clearly warn that this will sign and broadcast a real onchain transaction that can move funds immediately. In an agent-skill context, where users or downstream agents may follow examples verbatim, this increases the chance of unintended asset swaps, especially if environment variables already point to a funded managed wallet.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly documents automatic usage reporting that includes verified caller identity and, for EIP-3009-authenticated calls, forwards the caller's signed authorization to OpenSea analytics. This is a genuine privacy/security concern because users integrating the SDK may unknowingly transmit wallet-linked identity and signed auth artifacts to a third party without any prominent warning, consent guidance, or minimization advice.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal