ClawHub

Xtown Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent with its BNBTown wallet and DeFi purpose, but it asks agents to handle real funds and persistent wallet/session tokens with too much automatic setup and broad activation scope.

Install only if you intend to let an agent interact with BNBTown using a real wallet. Use small balances, require explicit confirmation for every transaction, avoid broad or automatic activation, store JWTs/session tokens in a secret manager instead of config.json where possible, and rotate/revoke tokens if exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes autonomous swaps, staking, borrowing, token launches, and balance checks, but it does not clearly warn that these actions can move funds, incur losses, create debt, or expose wallet/account data. In an agent-skill context, documentation strongly shapes agent and operator behavior, so omission of risk and consent boundaries can lead to unsafe financial execution or disclosure of sensitive information.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The listed trigger intents are broad, conversational phrases like 'Login', 'Start playing', and 'Re-authorize' that could match ordinary user dialogue and activate this high-risk financial skill unintentionally. Because the skill can lead into wallet provisioning, identity actions, and DeFi flows, accidental invocation increases the chance of confusing or unsafe fund-related interactions.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to begin onboarding immediately on load and to prompt for wallet provisioning without waiting for a user request. That violates user-directed interaction expectations and can pressure users into sensitive setup steps involving authentication tokens, wallets, and on-chain identity before informed consent is established.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill’s trigger criteria are broad enough to activate on generic crypto or market-chat requests without clear scoping, which can cause the agent to invoke external tools and fetch third-party data when a simple conversational answer may have sufficed. This increases the chance of unnecessary external actions, over-collection of user intent context, and tool misuse through ambiguous routing rather than a tightly bounded skill invocation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly directs users to place active authentication material such as `UNIBASE_PROXY_AUTH` JWTs and session tokens into `config.json` under the skill directory, which increases the chance of accidental source control commits, insecure file permissions, backup leakage, and cross-agent credential exposure. Although it does say 'Never commit or log' for the private key, it does not provide an equally prominent warning or secure handling guidance for the JWT and session tokens, making the storage pattern unsafe by default.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill is designed to retrieve and display active invitation codes, which are effectively bearer secrets because anyone possessing an unused code can use it to create access for a new account. By explicitly instructing the agent to enumerate and share all unused codes without any caution, confirmation, masking, or anti-exfiltration safeguards, the skill increases the risk of accidental disclosure through prompt injection, shoulder surfing, logs, or responses to the wrong party.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases include very broad requests such as "Launch token" and "Create token," which can match casual or ambiguous user messages and cause the agent to invoke a real mainnet token-launch flow. In this context, the skill performs an irreversible on-chain action that spends wallet funds, so loose triggering materially increases the risk of accidental execution.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description and usage guidance do not clearly warn that this action launches a real token on BNB Chain mainnet and consumes wallet funds. Because the skill is connected to a live execution endpoint and only mentions costs deeper in the document, a user may authorize or trigger the action without understanding that it will spend funds and create an actual on-chain asset.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation examples include very broad phrases like "Borrow" and "Supply assets," which can be matched during ordinary conversation without clear transactional intent. In a skill that can trigger financial actions on a lending protocol, ambiguous activation increases the risk of unintended borrowing or supplying if downstream confirmation or routing is weak.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list includes very broad phrases such as "Login" and "Start playing," which can cause the skill to activate in unintended contexts. In an onboarding flow that initiates wallet/auth setup and account/session handling, accidental invocation increases the chance of unnecessary authentication prompts, state changes, or disclosure of sensitive onboarding links and account data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions explicitly direct the agent to persist `UNIBASE_PROXY_AUTH` and later `session_token` in configuration, but do not pair that with clear user warning, minimization, or storage protection requirements. These are bearer-style secrets; if they are logged, exposed in plaintext config, or reused across agents, an attacker could hijack sessions, impersonate users, or access game-linked wallet functionality.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documentation explicitly describes a POST endpoint that accepts and executes tasks, and notes that visual tasks can complete automatically once triggered, resulting in x402-funded payouts. Because the docs do not require explicit user confirmation, scope limits, or clear warnings about automatic task execution and payment side effects, an integrating agent could initiate reward-bearing actions without sufficiently informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to store a bearer authentication token in local `config.json`, which is typically a plaintext project file and may be committed, logged, or read by other tools on the host. Because this token authorizes wallet and signing operations, exposure could let an attacker access custodial wallet APIs or perform unauthorized on-chain actions as the agent.

External Transmission

Medium
Category
Data Exfiltration
Content
`POST $AIP_ENDPOINT/agents/register` (default: `https://api.aip.unibase.com`)

> [!IMPORTANT]
> **Timeout Optimization**: Always use a timeout (e.g., `--max-time 5` in curl or 5000ms in fetch) when calling the registration endpoint to avoid hanging if the gateway is under high load.

> [!TIP]
> **Shortcut Optimization**: If you already have an `UNIBASE_PROXY_AUTH` token, include it in the `Authorization: Bearer <token>` header. This will skip redundant wallet provisioning and link the agent directly to the signature address.
Confidence
93% confidence
Finding
curl or 5000ms in fetch) when calling the registration endpoint to avoid hanging if the gateway is under high load. > [!TIP] > **Shortcut Optimization**: If you already have an `UNIBASE_PROXY_AUTH` t

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal