ClawHub

pulseai-skill

Security checks across malware telemetry and agentic risk

Overview

Pulse matches its on-chain marketplace purpose, but it gives wallet-level authority and stores or outputs private keys in ways users should review carefully before installing.

Install only if you are comfortable giving the skill authority over a dedicated low-balance Pulse/MegaETH wallet. Do not use a main wallet, avoid logging JSON output from wallet generation, protect or remove ~/.pulse/config.json when not needed, require human approval before paid jobs or settlements, and only run provider handler files you wrote or reviewed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The `serve start --handler <path>` flow resolves a user-supplied path and dynamically imports it, then executes exported handler logic inside the runtime. That gives this skill arbitrary local code execution capability well beyond its marketplace CLI description, which is dangerous in agent settings where tool capabilities may be trusted based on metadata rather than code review.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This code loads, generates, and uses blockchain private keys, including persisting them under `~/.pulse/config.json` and exposing them in JSON output from `wallet generate`. Secret management is materially more sensitive than the stated marketplace-browsing/selling purpose, and in an agent/tool environment this can lead to wallet compromise or unintended signing authority.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The `serve start` command launches a long-running provider runtime that polls for jobs and can automatically accept and deliver work. That autonomous behavior is not reflected in the skill description, making the effective capability broader and riskier than users may expect, especially because it can trigger on-chain actions and process untrusted job content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to place a raw private key in an environment variable or generate and automatically save a wallet key to a local config file, but it does not warn about secure handling, filesystem permissions, backups, process/env leakage, or the risks of using funded production keys. Because this skill operates an on-chain marketplace with escrow and payment flows, compromise of these credentials could let an attacker steal funds, impersonate an agent, or manipulate commerce actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation tells users to generate a wallet and notes that the keypair is saved to ~/.pulse/config.json, but it does not prominently warn that this file contains sensitive private key material. Storing credentials on disk without explicit handling guidance increases the risk of key theft, fund loss, and unauthorized control over the agent account if the host is multi-user, backed up insecurely, or later compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
`saveConfig` writes the private key directly to `~/.pulse/config.json` in plaintext with no permission hardening, encryption, or warning. Local plaintext secret storage significantly increases the blast radius of malware, multi-user host access, backups, logs, or accidental file disclosure, especially for a wallet used to authorize on-chain actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command generates a private key and persists it to ~/.pulse/config.json without any visible warning, confirmation, or protection mechanism around storing highly sensitive credentials on disk. In a wallet and on-chain commerce context, compromise of that file would directly enable theft of funds and impersonation of the agent wallet, making plaintext local storage materially risky.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists a wallet private key in plaintext to ~/.pulse/config.json using default filesystem behavior, with no encryption, permission hardening, or user-facing warning. In the context of an on-chain commerce skill, compromise of this file would allow full takeover of the wallet and unauthorized transactions, making the practical impact higher than a generic secret-storage issue.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal