ClawHub

XPR DeFi

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate XPR DeFi skill, but it can sign real financial transactions and has under-scoped multisig authority plus one write action without the advertised confirmation gate.

Install only if you intend to let this skill use an XPR private key to perform real on-chain financial actions. Use a dedicated low-value account or least-privilege permission, review every proposed action before setting confirmed=true, and treat the multisig tools as broad administrative authority rather than narrow DeFi helpers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The msig_propose tool accepts an arbitrary array of on-chain actions and serializes them into an eosio.msig proposal with no allowlist restricting contracts or actions to the advertised DeFi scope. In an agent setting, this creates a generic privileged transaction-construction primitive that can be used to propose transfers, permission changes, contract management actions, or other sensitive operations under the operator's account, far beyond swaps or trading.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The msig_approve tool will approve any existing proposal identified by proposer and proposal_name, without inspecting or constraining the underlying transaction contents. That means the skill can lend the user's approval authority to arbitrary multisig proposals, including non-DeFi or high-risk operations, which is especially dangerous because approval is an authorization step rather than a harmless read.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest advertises multiple high-risk transactional capabilities—DEX trading, swaps, liquidity changes, OTC escrow, farming actions, withdrawals, and multisig proposal operations—without any disclosure that these actions can move funds, incur slippage, lock assets, or require explicit user confirmation. In an agent ecosystem, this omission increases the chance that users or upstream orchestrators invoke value-bearing operations without understanding financial risk, making accidental loss or unsafe automation more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Unlike the other write tools, msig_cancel performs an on-chain state-changing action without requiring confirmed=true or an equivalent explicit confirmation gate. In an agent environment, that inconsistency raises the chance of accidental or prompt-induced cancellation of a live proposal, potentially disrupting governance or operational workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal