ClawHub

Agent

Security checks across malware telemetry and agentic risk

Overview

This is a real Web3 wallet tool, but it needs Review because AI-connected paths can move funds and the security claims overstate the actual safeguards.

Install only after treating it as a fund-moving wallet integration. Use a dedicated low-balance hot wallet, avoid storing primary wallet keys or mnemonics in .env or AI client configs, restrict MCP access, require your own confirmation process before every transaction, simulate first, and avoid auto-monitor trading, custom_tx, unlimited approvals, and manual swaps without slippage protection unless you fully understand the risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
Findings (24)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The README makes a strong security claim that the skill never requests, stores, or accesses mnemonics/seed phrases during operations, yet elsewhere documents a `create-wallet` flow that generates a mnemonic and writes it to `.env`. This kind of contradictory security documentation can mislead users into underestimating secret persistence and backup exposure, increasing the chance of unsafe deployment and credential compromise.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The README asserts explicit human approval for any on-chain transaction, but later examples show agent-driven swap/transfer flows that appear to execute directly and report success without a visible confirmation gate. In an agent-integrated Web3 skill, ambiguous or overstated approval guarantees are dangerous because operators may rely on a manual checkpoint that is not actually enforced.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The skill explicitly claims a strict human-in-the-loop safety model, but its documented agent behavior instructs the agent to directly translate user requests into executable blockchain commands, including transfers, swaps, bridges, mints, raw transactions, and automated monitors. In a wallet-bearing environment, that mismatch can enable the agent to perform irreversible on-chain actions without an explicit approval checkpoint, increasing the risk of unauthorized asset movement or execution of socially engineered requests.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
This is a real security-relevant behavior mismatch: the monitor presents itself as an alerting mechanism, but when a threshold is reached it immediately performs a token sale via swapOrBridge. In an agent skill context, users may reasonably expect a non-destructive notification-only action from flags like alert and from the alert-oriented messaging, so this can cause unintended asset liquidation and financial loss.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comments state it reconstructs historical USD cost basis and attempts swap-based valuation, but the implementation actually assigns every incoming transfer the current market price. This can materially misstate PnL and average buy price, creating a security-relevant integrity issue because users may make financial decisions based on misleading output that appears more precise than it is.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill can generate a new wallet, persist the private key and mnemonic to a local .env file, and overwrite existing wallet material with a force flag. For an agent skill of unknown purpose, this introduces unnecessary secret-generation and secret-storage capabilities that materially increase the risk of credential exposure, wallet replacement, or misuse by downstream tooling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes `create-wallet` and `--force` overwrite behavior that writes wallet credentials into `.env`, but the command examples do not foreground the security consequences of persisting a mnemonic/private key on disk. For a skill intended for AI-agent workflows, normalizing disk persistence of wallet secrets without prominent warnings increases the risk of accidental exposure through backups, logs, repository sync, or host compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill exposes multiple irreversible financial operations—transfer, swap, bridge, mint, and custom raw transaction—without a strong, explicit warning that these actions can permanently lose funds, interact with malicious contracts, or send assets to unrecoverable addresses. In this context, the danger is amplified because the skill is designed for agent-mediated execution against a live private-key-backed wallet, so ambiguous user prompts or prompt injection could translate into real asset loss.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill declares use of a `PRIVATE_KEY` environment variable for wallet operations but does not pair that with a clear warning about the sensitivity of this credential, the risk of draining funds if exposed, or safe handling expectations. Because the skill enables signing live transactions, normalizing private-key-based configuration without strong guardrails can encourage insecure deployment patterns and increase the blast radius of logs, prompt leakage, or misconfiguration.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill can automatically submit a payable on-chain transaction to an arbitrary contract and function path derived from user input or explorer-fetched ABI, without a mandatory confirmation gate. In an agent setting, this is dangerous because a prompt, URL, or mistaken contract selection can directly cause irreversible fund loss, unwanted approvals/mints, or interaction with a malicious contract.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code grants ethers.MaxUint256 allowance to a spender address returned by external routing/quote logic, creating a standing approval that can be abused if the spender is compromised, malicious, or later upgraded. In a wallet automation context, this expands loss beyond the current swap amount and can expose the user's full token balance for that asset.

Missing User Warnings

High
Confidence
99% confidence
Finding
The Uniswap direct swap sets amountOutMinimum: 0, which disables slippage protection entirely and allows execution at any output amount. This exposes users to sandwich attacks, MEV, pool manipulation, and severe price movement, potentially resulting in near-total value loss for the swap.

Missing User Warnings

High
Confidence
99% confidence
Finding
The PancakeSwap direct swap also sets amountOutMinimum: 0, meaning the transaction will accept any amount of output. In a live on-chain trading tool, this materially increases exposure to frontrunning, manipulated routing conditions, and catastrophic execution prices.

Missing User Warnings

High
Confidence
99% confidence
Finding
The function prints the newly generated private key and mnemonic to both terminal output and structured JSON. In agent and automation contexts, stdout is commonly captured by logs, orchestration layers, chat transcripts, or monitoring systems, turning a local wallet-generation step into immediate secret exfiltration risk and full asset compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The monitor command is explicitly described as able to 'execute auto-swap on cutloss or takeprofit', which means it can perform irreversible token sales from a polling loop. In an agent skill context, this is dangerous because a caller may interpret it as passive monitoring while it can actively trade assets without an additional confirmation gate or prominent destructive-action warning.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The custom command allows broadcasting arbitrary calldata to any address, enabling unrestricted on-chain actions including token approvals, transfers, contract interaction, or asset loss. Because the CLI description lacks a strong safety warning and this is packaged as an agent skill, an AI-driven caller could invoke highly destructive transactions without understanding the risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The create-wallet command states it will generate a wallet and write credentials into the .env file, including overwrite capability via --force, but does not present a strong warning about secret exposure or persistence risks. Storing private keys or mnemonics in plaintext configuration files is sensitive, and in an agent or shared workspace environment this increases the chance of credential theft and permanent wallet compromise.

Missing User Warnings

High
Confidence
95% confidence
Finding
This server exposes high-risk wallet operations such as transfer, swap, bridge, mint_nft, and custom_tx directly to MCP clients with no confirmation gate, policy check, allowlist, simulation requirement, or explicit user-consent enforcement in this file. In an agent setting, an LLM or connected client could invoke irreversible blockchain actions and move funds based on prompt injection, misunderstanding, or malicious instruction, making the skill context especially dangerous because it controls real on-chain assets.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code forwards attacker- or user-supplied custom RPC URLs to the subprocess for transfer, swap, bridge, mint, and custom transaction flows without validation, trust controls, or disclosure. A malicious RPC endpoint can observe wallet addresses, balances, transaction intent, and metadata, and may manipulate responses or degrade execution reliability; in a web3 agent context this increases risk because sensitive wallet activity is routinely sent to third-party infrastructure.

Credential Access

High
Category
Privilege Escalation
Content
cp .env.example .env

# On Windows (cmd):
copy .env.example .env

# On Windows (PowerShell):
Copy-Item .env.example .env
Confidence
90% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);

// Generate new random wallet and save to .env
export async function createNewWallet(options = {}) {
  const envPath = path.join(__dirname, "../.env");
  const force = !!options.force;
Confidence
89% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
// Generate new random wallet and save to .env
export async function createNewWallet(options = {}) {
  const envPath = path.join(__dirname, "../.env");
  const force = !!options.force;

  try {
Confidence
83% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
newEnvContent = setEnvVar(newEnvContent, "PRIVATE_KEY", pkLine);
    newEnvContent = setEnvVar(newEnvContent, "MNEMONIC", mnemonicLine);

    // Write to .env
    fs.writeFileSync(envPath, newEnvContent, { mode: 0o600 });

    if (!options.json) {
Confidence
98% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
To configure your EVM wallet manually, follow these steps:

#### Step 1: Create the `.env` file
Copy the template `.env.example` file to create your active configuration file:
```bash
# On Linux/macOS:
Confidence
81% confidence
Finding
Create the `.env` file Copy the template `.env.example` file to create your active configuration file: ```bash # On Linux/macOS: cp .env.example .env # On Windows (cmd): copy .env.example .env # On

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal