ClawHub

Passive Income Claw

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can use Binance credentials to automatically move funds and create margin debt, so it needs careful review before installation.

Install only if you intentionally want a Binance automation skill with Earn and optional margin-borrow capabilities. Use API keys with withdrawals, futures, and spot trading disabled; avoid enabling Margin unless you explicitly accept borrowing, interest, and liquidation risk. Keep confirm-first mode unless you are comfortable with scheduled scans executing subscriptions, and review the local profile limits, asset whitelist, cron job, and execution log regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires sensitive environment secrets and performs network/API operations, but does not declare corresponding permissions in the manifest. This reduces transparency and undermines policy enforcement, especially for a finance-related skill that can access account data and place subscriptions via external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose presents the skill as a passive-income Earn assistant, but the documentation shows materially broader capabilities: cross-margin inspection, borrowing, repayment, history access, and redemptions. In a financial automation context, this scope mismatch can mislead users and reviewers into authorizing actions with far greater risk than expected, including leverage-related operations.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README expands the skill from passive-income/Earn operations into margin borrowing and arbitrage, which materially increases financial risk and required permissions. That scope expansion is dangerous because users may provision Margin API access for a tool presented as a passive-income assistant, enabling leveraged actions outside the stated core purpose.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Documenting borrowing against user holdings to pursue arbitrage is not consistent with a normal passive-income assistant and introduces leveraged financial exposure. In this context, the mismatch between stated purpose and documented capability increases the chance of users authorizing risky account actions they did not reasonably expect.

Intent-Code Divergence

High
Confidence
92% confidence
Finding
The README presents strong safety claims while also describing an auto mode that directly subscribes funds without per-action confirmation. This contradiction is dangerous because users may rely on the safety section and underestimate that the skill can autonomously move assets within configured limits.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation expands the operational scope from passive-income Earn flows into detailed asset inspection and margin-related functionality. For a crypto account skill, exposing broader account visibility and debt-capable operations than users expect increases the chance of unauthorized or poorly understood financial actions.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Cross-margin borrowing and repayment are high-risk financial actions that are not justified by the stated purpose of a passive-income assistant. Borrowing introduces leverage, interest accrual, liquidation risk, and user loss exposure that is qualitatively different from subscribing idle funds to Earn products.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The routing instructions introduce borrow-to-earn analysis and execution paths that go beyond the manifest's stated Earn subscription scope. This creates a hidden expansion from low-complexity yield workflows into leveraged strategy execution, which is especially dangerous in an automated assistant.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill includes a general spot-account balance retrieval command (`/api/v3/account`) that goes beyond the stated Simple Earn scope of scanning opportunities and executing subscriptions. This unnecessarily broadens access to sensitive financial data and enables portfolio enumeration, which increases privacy and abuse risk if the skill is invoked unexpectedly or by a compromised agent flow.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file exposes live cross-margin borrow and repay operations even though the skill is described as a passive-income Binance Earn assistant. That scope mismatch is dangerous because an agent or user could trigger leveraged debt actions unrelated to the advertised function, creating financial loss and liquidation risk with no contextual guardrails in this file.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The account inspection and borrow history features disclose and operationalize margin-account state that is outside the stated passive-income/earn purpose. In context, this broadens the skill's effective capability set and supports debt-management workflows that could be chained with the borrow/repay actions, increasing the chance of misuse or hidden financial operations.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The borrow command issues a signed POST to /sapi/v1/margin/borrow-repay with type BORROW, enabling real margin debt creation. In a skill marketed for passive income opportunities, this is especially dangerous because users may authorize it expecting low-risk yield actions, not leveraged borrowing that can amplify losses and trigger liquidation.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The repay command performs a live margin debt repayment request, which is likewise outside the promised Earn/subscription scope. While repayment is less inherently risky than borrowing, unexpected debt-management actions can still move funds, affect portfolio availability, and conceal the presence of unauthorized margin activity within a seemingly benign skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The execution flow adds margin borrowing and debt repayment to a skill described as a passive-income Binance Earn assistant. That materially expands the permission and risk surface from simple subscriptions into leveraged activity that can create liabilities, liquidation risk, and unexpected loss if triggered incorrectly or misunderstood by the user.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Implementing borrow-to-earn allows the agent to take on debt in the user's account, which is a qualitatively different and more dangerous capability than passive yield allocation. Even with some safety checks, this can expose users to interest accrual, failed rollback states, and market-driven margin deterioration that are not justified by the advertised passive-income use case.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file introduces a full margin borrowing, liquidation-risk, and repayment workflow even though the skill is described as a passive-income/earn assistant. That scope expansion is dangerous because it adds leveraged trading behavior and debt creation, which materially increases user risk and enables actions the user may not reasonably expect from an earn-subscription skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The auto-mode explicitly allows automatic margin borrowing when configured, which can create debt and liquidation exposure without a contemporaneous user approval at execution time. In the context of a passive-income assistant, automatic leverage is especially dangerous because users may expect low-risk yield actions, not autonomous borrowing against collateral.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The scan flow explicitly instructs the system to ignore user preferences and show all feasible strategies, which contradicts the skill's stated purpose of matching opportunities based on user preferences. In a financial automation context, bypassing suitability and preference constraints can lead users to be nudged toward inappropriate products, including illiquid or higher-risk yield options they did not authorize the assistant to prioritize.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata frames the assistant as executing Binance Earn subscriptions, but the flow expands scope to margin borrowing and leveraged borrow-to-earn strategies. That is a materially different and much riskier financial action because it introduces debt, interest-rate exposure, and liquidation risk beyond simple yield subscriptions.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Adding margin borrowing is unjustified for a passive-income earn assistant and violates least privilege and contextual integrity. Users invoking a yield scanner would not reasonably expect the assistant to assess or prepare debt-financed strategies, making accidental exposure to leverage more likely.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
Auto-executing borrow-to-earn strategies is especially dangerous because it combines autonomous trading-like behavior with leverage in response to a passive-income workflow. This can create debt positions, incur interest, and expose the user to liquidation without a transaction-specific approval at the moment of execution.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest describes scanning opportunities and executing subscriptions, but the setup expands authority to include redeem and potentially margin-borrow operations. That creates a scope mismatch: users may authorize riskier actions than they expected, including leverage-related behavior, which can materially change account exposure and cause losses.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The setup automatically registers a recurring cron job and promises push-like notifications, but this background behavior is not clearly disclosed in the skill description. Undisclosed automation increases risk because users may not realize the skill will continue monitoring their account and generating activity after initial setup.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases include very broad natural-language expressions like asking about suitable opportunities, which can overlap with ordinary conversation. Because this skill can eventually execute financial actions, broad invocation language raises the risk of unintentional activation and account-affecting workflows starting from casual speech.

Missing User Warnings

High
Confidence
95% confidence
Finding
The README does not prominently and plainly warn that auto mode may subscribe assets without asking the user each time. In a skill tied to Binance API credentials and Earn operations, insufficient disclosure materially increases the risk of unexpected financial transactions and loss of user trust.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal