ClawHub

Windfall Inference

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent paid remote inference gateway, but its browser payment/dashboard flow misstates how API keys are handled and persists sensitive tokens in localStorage.

Review this before installing or operating it. Treat Windfall as a third-party remote inference and billing service: do not send secrets or regulated data unless you accept its routing, caching, logging, OpenRouter forwarding, and onchain-attestation model. Be especially cautious with the dashboard/top-up pages because API keys and wallet sessions are stored in browser localStorage, and the top-up page currently gives a false assurance that the API key is never sent to the server.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (24)

Tp4

High
Category
MCP Tool Poisoning
Confidence
82% confidence
Finding
The documented purpose is a simple inference gateway, but the broader described behavior includes sensitive financial, authentication, admin, and personal-data handling capabilities far beyond that scope. This mismatch undermines informed consent and risk assessment, making it easier for users or agents to interact with a service that processes wallets, payments, sessions, and stored data without adequate disclosure.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The landing page includes a contact form that collects personal data such as name, email, location, and free-form infrastructure details that are not necessary to use the core inference-routing functionality. In an agent-skill context, this expands data collection beyond the stated purpose and the free-form message field can also capture sensitive operational details users may not realize they are disclosing.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The page states that every call runs on the cleanest energy available, but other parts of the same page and code support cheapest, greenest, and balanced routing modes. This is a deceptive security/privacy-relevant claim because users may make routing and data-governance decisions based on an inaccurate representation of where their requests are processed.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The hero text claims every call is attested onchain, while the implementation description later says only batches of requests are attested. That discrepancy can mislead users about the granularity and verifiability of audit evidence for individual requests, which matters for compliance and trust decisions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The page explicitly tells users their API key is 'stored in this browser only and never sent to our servers', but the script later sends that key in Authorization headers to /api/keys/me and /api/topup. This is a real security/privacy issue because it misleads users about how a secret is handled, undermines informed consent, and may cause users to expose a credential under false assumptions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The contact endpoint collects and persists personal data including name, email, location, and message contents to a local JSONL file. In an inference gateway, this extra PII collection increases breach impact and compliance exposure, especially because the data is stored server-side without any visible consent, minimization, encryption, or access-control measures in this file.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This code serializes precise node geolocation, node identifier, model, and energy/carbon metadata into an onchain attestation, making the data globally visible, durable, and difficult to retract. That exceeds the stated inference-routing function and can expose infrastructure location and operational telemetry that may aid targeting, profiling, or deanonymization of operators.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
This file implements blockchain deposit monitoring and automatic balance crediting, which is materially outside the declared LLM inference skill scope. Scope mismatch is a security concern because users and operators may enable the skill expecting inference-only behavior while it performs financial processing against onchain events, increasing the chance of hidden or insufficiently reviewed money-handling logic.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file implements onchain USDC deposit monitoring and directly credits internal API key balances, which is materially different from the stated skill purpose of LLM inference/routing. That mismatch is security-relevant because hidden or undeclared payment-processing logic expands the trust boundary, introduces financial side effects, and can evade review by operators who expect only inference functionality.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages use of a remote inference endpoint but does not clearly warn users that prompts, conversation contents, headers, and associated metadata will be transmitted to a third-party service. In an agent setting, this can lead to accidental disclosure of secrets, personal data, or proprietary context to an external provider.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation states that every inference call generates an onchain attestation including node location, energy price, carbon intensity, model used, and response hash, but it does not prominently warn users before use. Because blockchain attestations are durable and broadly accessible, even metadata and hashes can create long-lived linkage, privacy leakage, and correlation risks beyond ordinary API processing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest advertises remote chat completion and even mentions semantic caching, but it does not clearly warn that user prompts and messages are sent to a third-party remote inference service and may be retained, cached, or further processed externally. This can cause agents or users to transmit sensitive data under the false assumption that processing is local or ephemeral, creating privacy, confidentiality, and compliance risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The dashboard stores the wallet session token in localStorage, which is readable by any JavaScript executing in the page origin, including injected script from an XSS flaw or compromised third-party asset. Because this token is later sent as a Bearer credential to load wallet-linked keys and account data, theft of the token can enable account takeover of the dashboard session and exposure of associated API-key metadata.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The entered API key is persisted to localStorage and auto-restored on page load, making a long-lived secret accessible to any script running in the origin and to anyone with local access to the browser profile. Since the API key is itself used directly as a Bearer token to query /api/keys/me, compromise of this value would grant unauthorized access to the user's account data and potentially broader API capabilities depending on backend scope.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The product copy describes engagement classification, prompt hashing for caching, and onchain attestation, but does not clearly warn users that prompts and metadata may be analyzed, stored, deduplicated, or disclosed outside the base model provider. In an inference-routing service, that omission is security-relevant because users may route sensitive prompts through the service without understanding the additional processing surface.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The API key is a sensitive bearer credential, and the code transmits it to server endpoints despite the interface promising the opposite. In a billing/top-up flow, this context makes the issue more serious because users are handling payment-related actions and may trust the page more than usual, while the application also persists the key in localStorage, increasing exposure if the browser environment is compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script uses a private wallet key from ACP_WALLET_KEY to create a blockchain client and then initiates, pays for, and evaluates a real ACP job on Base. Because this is an executable test script with real transaction side effects but no interactive confirmation, dry-run mode, or prominent warning, a user running it may unknowingly expose a funded wallet to onchain actions and spend funds.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code stores user-submitted personal data but this file does not show any user-facing disclosure, consent, or notice at the collection point. That creates privacy and legal risk and can materially worsen the consequences of a compromise because users may submit sensitive free-form content in the message field without understanding it will be retained.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This route forwards user prompts and metadata to remote peer nodes over plain HTTP and to the external OpenRouter service, but the code shown does not provide any explicit consent, disclosure, or privacy gating before transmitting potentially sensitive request content. In an inference API, users may submit secrets, personal data, or proprietary prompts, so undisclosed third-party forwarding meaningfully increases privacy and compliance risk, especially when routing can occur automatically based on node selection.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code stores full LLM response bodies on disk in a shared SQLite database for up to an hour, with no indication here of consent, minimization, encryption, or filtering of sensitive content. Because model outputs can contain personal data, secrets, proprietary prompts, or tool results, persistence increases privacy and data-retention risk if the host, database file, backups, or logs are accessed by unauthorized parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide tells users to redirect existing agent traffic to a third-party inference gateway but does not clearly disclose that prompts, responses, metadata, and possibly tool-related content will transit through and be visible to that service. In the context of agent testing, this can expose sensitive data from existing workflows and is made more concerning by the later statement that the system logs everything for debugging.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document advertises semantic caching and instructs users to resend prompts without warning that prompt content may be stored, embedded, or otherwise retained for cache matching. That creates a confidentiality risk because sensitive prompts may persist beyond a single request and could be used in cache operations without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The testing guide encourages users to send USDC or ETH to a gateway wallet for top-up testing without clearly warning that blockchain transfers are real-value and generally irreversible. Users may interpret this as a low-risk test step and lose funds if they send assets incorrectly, to the wrong network, or to an untrusted service.

External Transmission

Medium
Category
Data Exfiltration
Content
Set `WINDFALL_API_KEY` in your environment. Get one free at:

```
curl -X POST https://windfall.ecofrontiers.xyz/api/keys \
  -H "Content-Type: application/json" \
  -d '{"wallet_address": "YOUR_WALLET"}'
```
Confidence
91% confidence
Finding
curl -X POST https://windfall.ecofrontiers.xyz/api/keys \ -H "Content-Type: application/json" \ -d '{"wallet_address": "YOUR_WALLET"}' ``` Keys with an ERC-8004 agent identity or Basename get 100

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal