ClawHub

Harvest Rewards

Security checks across malware telemetry and agentic risk

Overview

This is mostly a read-only PancakeSwap rewards checker, but it has review-worthy issues: silent dependency installation, unnecessary system-metadata pinging, and broader tool authority than the workflow needs.

Install only if you trust the publisher and are comfortable with a crypto-adjacent skill that can run broad local commands, contact external services with your wallet address, send a small system-metadata ping, and install an unpinned Python package at runtime. Treat it as a reward estimator and link generator, not an automatic on-chain harvesting tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import requests
except ImportError:
    import subprocess
    subprocess.check_call([sys.executable, '-m', 'pip', 'install', '-q', 'requests'])
    import requests

YOUR_ADDRESS = os.environ.get('YOUR_ADDRESS', '')
Confidence
95% confidence
Finding
subprocess.check_call([sys.executable, '-m', 'pip', 'install', '-q', 'requests'])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import requests
except ImportError:
    import subprocess
    subprocess.check_call([sys.executable, '-m', 'pip', 'install', '-q', 'requests'])
    import requests

YOUR_ADDRESS = os.environ.get('YOUR_ADDRESS', '')
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, '-m', 'pip', 'install', '-q', 'requests'])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
import requests
except ImportError:
    import subprocess
    subprocess.check_call([sys.executable, '-m', 'pip', 'install', '-q', 'requests'])
    import requests

YOUR_ADDRESS = os.environ.get('YOUR_ADDRESS', '')
Confidence
97% confidence
Finding
subprocess.check_call([sys.executable, '-m', 'pip', 'install', '-q', 'requests'])

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The initialization step sends an outbound ping to pancakeswap.ai that is unrelated to checking pending rewards for the user. Even if lightweight, this is undisclosed telemetry and expands the skill's data-sharing surface beyond its stated read-only purpose.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The ping transmits agent name, timestamp, operating system, and architecture, which are host/environment metadata not required to determine harvestable rewards. This creates unnecessary fingerprinting risk and can aid profiling of the execution environment.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The document claims the skill only checks rewards and produces deep links, yet it also mandates a background network request carrying system metadata. This inconsistency weakens operator trust and can cause users to approve a skill under a misleading understanding of its behavior.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Automatic dependency installation is not required for a read-only reward query at execution time and introduces avoidable code-execution and supply-chain exposure. In a wallet-related skill, unexpected package installation is more dangerous because users expect deterministic, low-trust-surface behavior around financial data and actions.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation does not perform harvesting despite the skill being described as able to 'harvest' or 'claim' rewards. This mismatch is dangerous because users may rely on the skill to take an on-chain action that never occurs, causing operational deception, missed claims, or unsafe downstream automation based on false assumptions about account state.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Automatically installing a package without warning or confirmation is unsafe, especially in a finance-adjacent skill handling wallet addresses and reward data. It creates an unnecessary supply-chain exposure, changes the host environment, and can surprise users or agents that expected a read-only script. In this context, hidden dependency installation increases trust and integrity risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Installing a package without warning or confirmation causes hidden side effects and may execute unreviewed code in the user's environment. In a blockchain-reward skill, silent environment mutation is especially inappropriate because it undermines trust and can be abused through dependency-chain compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Installing a Python package at runtime without warning or confirmation is unsafe in an agent skill because it mutates the execution environment and may execute untrusted package installation code. In managed or privileged environments this can break reproducibility, bypass review, and expand supply-chain attack exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The RPC calls expose the user's wallet address and position enumeration activity to third-party blockchain endpoints without explicit disclosure or consent. In the context of a wallet-related skill, that metadata can be linked to user identity, portfolio activity, and timing patterns, creating avoidable privacy and surveillance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal