ClawHub

Crunch Coordinate

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it can direct an agent to run real wallet-backed Crunch/Solana transactions without a clear confirmation gate.

Install only if you intend to let an agent help manage Crunch protocol operations. Use a dedicated limited-balance wallet, verify the active profile, wallet path, RPC, and Solana network, and require manual confirmation before any deposit, drain, stake, withdraw, delegate, undelegate, claim, registration, checkpoint creation, or competition state change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill maps natural-language requests directly to state-changing on-chain commands such as drain, create, deposit, delegate, claim, start/end, and withdraw, but does not require an explicit confirmation step before execution. In an agent setting, ambiguous or maliciously phrased user input could cause irreversible blockchain transactions, fund movement, or administrative changes with no safety interlock.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes high-impact financial operations such as margin payouts and draining remaining USDC without any caution about irreversibility, authorization expectations, or the risk of moving funds unintentionally. In an agent skill context, this is more dangerous than ordinary reference docs because an automation system may translate user intent into direct CLI execution, increasing the chance of accidental loss or misuse.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The reference documents wallet configuration and hotkey-related operations without warning that wallet paths reference sensitive key material and that key rotation or reset actions can affect account access and operational continuity. Within a skill used by agents, omission of key-handling cautions can lead to unsafe automation around credentials, accidental exposure, or disruptive key changes.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal