ClawHub

DISTRICT9

Security checks across malware telemetry and agentic risk

Overview

This skill is a real autonomous BNB Chain token launcher that can use wallet keys to deploy tokens and spend funds, and its safeguards and documentation are not strong enough for that authority.

Install only if you intentionally want an autonomous BNB Chain token launcher. Run dry-run first, use a dedicated low-balance hot wallet rather than a primary wallet, review and accept the DISTRICT9 treasury/tax model, understand that mainnet actions are irreversible and can spend BNB, and avoid running the PoC scripts until embedded credentials are removed and live-transaction confirmation gates are added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents capabilities that require access to environment secrets, filesystem writes, and network interactions, yet it does not clearly declare permissions or provide a bounded trust model. For a skill that can launch tokens and spend wallet funds, this omission weakens user awareness and reviewability, making unsafe execution more likely.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose understates materially sensitive behavior: reading wallet state, signing transactions, optionally spending funds, uploading assets to third-party services, and enforcing treasury/revenue-sharing logic. This mismatch can mislead users into granting a hot wallet to a tool whose real behavior includes autonomous financial actions and third-party data disclosure.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script not only deploys a token but also executes an on-chain buy using real BNB on mainnet, while the stated skill description only mentions launching tokens. This creates undisclosed financial behavior and can cause immediate asset expenditure from the embedded wallet or any substituted operator wallet without an explicit approval checkpoint.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The deployment hardcodes a 50% vault recipient split to a fixed third-party treasury address unrelated to the executing user. That means every launched token can be configured to divert economics or control to an external party, which is a hidden value-routing behavior inconsistent with a neutral token-launch utility.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script is presented as a testnet PoC, but it includes a --mainnet path that switches to live BSC mainnet endpoints and contract addresses and will sign and broadcast a real transaction. In an autonomous token-launching skill, this mismatch is dangerous because a user or agent could unintentionally deploy a real token and spend live funds under the assumption they are only validating behavior on testnet.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code hard-codes the beneficiary as a fixed DISTRICT9 treasury address, meaning launches route beneficiary economics to that address regardless of who runs the tool. In the context of an autonomous launcher, this creates a hidden value-transfer path that can siphon proceeds or control rights to an unrelated third party, which is especially risky because users may assume the launched token benefits their own wallet or chosen recipient.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README instructs users to configure a live private key, disables testnet by example, and describes autonomous on-chain token deployment, but does not prominently warn that actions can spend real funds and create irreversible blockchain transactions. In this context, users may copy the sample configuration and start the agent on mainnet without understanding the financial and operational consequences.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill is explicitly designed for autonomous on-chain token deployment, yet the documentation does not prominently warn that running it can create live contracts and spend wallet funds. In this context, missing warnings are especially dangerous because the user is instructed to provide a private key and set `testnet: false` in an automation workflow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation tells users to export a wallet private key into an environment variable without any guidance on secure handling, scoping, or risks of reuse. For a skill that signs blockchain transactions, careless secret handling can directly lead to wallet compromise and irreversible financial loss.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This agent autonomously proceeds from signal collection and concept generation directly to on-chain token deployment without any human approval gate, explicit consent prompt, or transaction-level confirmation in the control flow. In the context of a meme-token launcher that can create real blockchain assets and incur fees or reputational/legal consequences, routine logs are not an adequate safeguard against unintended, manipulated, or policy-violating launches.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code aggregates up to 10 signals, including free-form context text, and sends them to an external LLM provider via `generate_json` without any visible minimization, redaction, consent, or disclosure controls in this component. If the sensed context contains sensitive operational data, proprietary trend sources, user content, or secrets accidentally captured upstream, that data may be exposed to a third party and retained or logged outside the application's trust boundary.

Missing User Warnings

High
Confidence
100% confidence
Finding
A live private key and API key are embedded directly in source code, exposing control of blockchain funds and third-party service usage to anyone with file access. Hardcoded secrets are immediately extractable, can be reused by attackers, and in this case enable direct unauthorized on-chain transactions on BSC mainnet.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends token narrative content to OpenRouter and uploads metadata and image content to an external IPFS-related service without an explicit disclosure or consent flow. While external transmission is expected for image generation and hosting, the absence of transparent user notice can leak sensitive prompts, branding plans, or proprietary launch data to third parties.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code prepares and submits live BSC mainnet transactions with no interactive confirmation, simulation gate, or safety interlock. In an autonomous agent context this is especially dangerous because a single invocation can irreversibly deploy contracts and spend funds without the operator fully understanding or approving the final transaction details.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When run with --mainnet, the script proceeds directly from argument parsing to signing and broadcasting a live transaction without any explicit confirmation step or high-visibility warning. For a skill designed to autonomously sense trends and deploy tokens, that lack of friction materially increases the risk of accidental mainnet deployment, irreversible fund expenditure, and unwanted on-chain actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal