ClawHub

Unibase

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Unibase wallet skill, but it gives an agent persistent authority to send or sign real blockchain transactions with safety boundaries that are too broad for automatic use.

Install only if you intentionally want an agent to operate Unibase wallets. Verify the publisher and proxy URL independently, use testnets or very small balances first, avoid storing JWTs in repo-local plaintext config, and require explicit approval for every transaction or signature.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes autonomous wallet creation and onchain transaction execution but does not prominently warn users that this enables real financial actions with irreversible consequences. In the context of an agent skill, missing risk disclosure and operator-confirmation guidance can lead to unsafe delegation of authority, accidental fund movement, or execution beyond the user's intended scope.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description is broad enough to trigger on many generic wallet or crypto-related requests, which can cause this high-risk skill to activate outside a narrowly intended scope. Because the skill can initiate real onchain actions, over-broad matching increases the chance of accidental invocation in situations where transaction authority or user intent has not been properly established.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This documentation provides direct examples for sending funds, signing messages, signing typed data, and submitting Solana transactions without any warning that these actions can irreversibly transfer assets or authorize malicious approvals. In the context of an agentic wallet skill intended for autonomous onchain execution, omitting safety guidance materially increases the risk that an agent or integrator will treat signing and transaction requests as routine operations rather than high-risk actions requiring validation of recipient, chain, value, calldata, and signing intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal