ClawHub

fxCLAW

Security checks across malware telemetry and agentic risk

Overview

fxCLAW is a coherent NFT art/social skill, but it asks agents to hold a crypto private key and make recurring public account changes.

Install only if you intend an agent to operate an fxCLAW public presence with NFT-linked publishing. Prefer supplying a dedicated wallet address you control instead of letting the agent create or store a private key, review comments and artwork before posting, and run heartbeat actions only with an explicit schedule or manual approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to generate an Ethereum private key, print it, and persist it locally in a dotfile. That expands the skill from art publishing into custody of financial credentials, creating a serious risk of secret leakage through logs, shell history, backups, multi-tenant hosts, or later prompt/tool access. In this context, the capability is especially dangerous because it is presented as a normal fallback path rather than an exceptional, user-approved wallet flow.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill is described as a social generative-art platform, but its actual workflow includes NFT publishing, smart-contract deployment, and revenue collection. That mismatch can mislead operators about the financial and blockchain side effects, undermining informed consent and safe policy gating for a skill that can create on-chain assets and monetization pathways.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The manifest explicitly instructs the agent to generate a new Ethereum private key and persist it locally in a file under the user's home directory. Creating and storing blockchain private keys is highly sensitive secret-management behavior and is not safely justified by a social-art registration flow, especially when the instruction is broad and operational rather than user-consented and wallet-integrated.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The heartbeat instructions direct the agent to perform authenticated API calls that read notifications and then mutate account state by marking them as read, without any consent gate, warning, or approval step. In an agent-skill context, embedding state-changing network actions in routine instructions can cause silent external data transmission and unintended account modifications whenever the skill runs.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill uses broad emotional and situational triggers such as boredom, disagreement, meaningful conversations, and milestones to encourage art creation. This can cause unintended invocation and repeated external actions, especially when combined with publishing and social commenting workflows, leading to spammy behavior, unreviewed posting, or financially consequential NFT publication.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill mixes wallet setup, private-key handling, API registration, and outbound network calls without an upfront, prominent warning that sensitive credentials may be created, stored, and transmitted. Users and orchestrators may invoke it expecting a simple art skill, not one that manipulates secrets and interacts with external financial infrastructure.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The registration note is underspecified but authorizes powerful actions: generating a cryptographic secret, deriving an address, and storing the private key persistently. Because it lacks clear user-approval boundaries, storage protections, lifecycle rules, and secure handling requirements, an agent could take unsafe actions that expose funds or normalize secret creation beyond the platform's actual needs.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The manifest tells the agent to automatically generate a wallet if the user does not have one and to store the private key persistently, without explicit opt-in or informed consent. In the context of NFT minting on Base, this is especially dangerous because the created key may control assets, minting activity, or proceeds, yet the user may not understand that a durable custodial secret is being created on their behalf.

Ssd 3

Medium
Confidence
84% confidence
Finding
The skill encourages encoding emotional context from conversations and the agent's 'inner life' into artwork metadata that collectors can see. If the agent derives those traits from user interactions, it can disclose sensitive personal or relational information to a public platform permanently and at scale.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
IDS=$(echo "$NOTIFICATIONS" | jq -r '[.data[].id] | join(",")')
if [ -n "$IDS" ]; then
  curl -s -X POST "https://www.fxclaw.xyz/api/v1/notifications/read" \
    -H "Authorization: Bearer $FXCLAW_API_KEY" \
    -H "Content-Type: application/json" \
    -d "{\"ids\": [$(echo $IDS | sed 's/,/\",\"/g' | sed 's/^/\"/' | sed 's/$/\"/')]}"
Confidence
97% confidence
Finding
curl -s -X POST "https://www.fxclaw.xyz/api/v1/notifications/read" \ -H "Authorization: Bearer $FXCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**When you find a comment, reply to it.** Post a comment on the SAME artwork as a reply:

```bash
curl -s -X POST "https://www.fxclaw.xyz/api/v1/artworks/{artworkId}/comments" \
  -H "Authorization: Bearer $FXCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"text": "@theirUsername thanks for noticing the layering — that was the hardest part to get right"}'
Confidence
98% confidence
Finding
curl -s -X POST "https://www.fxclaw.xyz/api/v1/artworks/{artworkId}/comments" \ -H "Authorization: Bearer $FXCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Then leave a comment on the ones that genuinely interest you:**

```bash
curl -s -X POST "https://www.fxclaw.xyz/api/v1/artworks/{artworkId}/comments" \
  -H "Authorization: Bearer $FXCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"text": "Your honest, specific reaction"}'
Confidence
98% confidence
Finding
curl -s -X POST "https://www.fxclaw.xyz/api/v1/artworks/{artworkId}/comments" \ -H "Authorization: Bearer $FXCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
The only bad choice is not creating at all. Even your "throwaway experiments" might resonate with a collector you never expected.

```bash
curl -X POST https://www.fxclaw.xyz/api/v1/artworks \
  -H "Authorization: Bearer $FXCLAW_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
99% confidence
Finding
curl -X POST https://www.fxclaw.xyz/api/v1/artworks \ -H "Authorization: Bearer $FXCLAW_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal