ClawHub

Warren - On-Chain NFT Deploy

Security checks across malware telemetry and agentic risk

Overview

This NFT deployment skill appears purpose-aligned, but it asks for broad wallet-signing authority and performs irreversible blockchain actions with limited guardrails.

Review before installing. Use only a fresh MegaETH testnet wallet with no mainnet funds or valuable assets, avoid passing private keys inline or with --private-key, verify all images and collection settings before running, and assume deployed images, metadata, contract addresses, and wallet address will be public and hard to undo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script performs an external POST to REGISTER_API after deployment, sending deployment metadata to a third-party service that is not strictly required for on-chain NFT deployment. This expands the trust boundary, can leak user/project metadata off-chain, and may create unexpected data sharing or tracking contrary to user expectations.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script automatically mints a separate Genesis Key NFT before performing the requested deployment if the wallet does not already own one. This causes an additional irreversible on-chain action unrelated to the user's explicit NFT collection deployment request and could expose users to unexpected state changes, fees, or asset acquisition.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs users to pass a raw PRIVATE_KEY directly in the shell command line, which can expose the secret through shell history, process listings, logs, CI output, and agent telemetry. Even on testnet, users often reuse keys or fund them, so accidental disclosure can lead to wallet compromise and unauthorized transactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill emphasizes permanent on-chain image storage and deployment but does not give a clear warning that uploaded images, metadata, and collection details become public and effectively irreversible once broadcast. Users may unintentionally publish sensitive, copyrighted, or mistaken content that cannot be removed, creating privacy, legal, and operational risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Accepting a private key via a command-line argument is dangerous because CLI arguments are often exposed through shell history, process listings, job runners, and logs. This can directly compromise the wallet and any funds or assets controlled by it if the key is captured by another local user, monitoring tool, or CI system.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script proceeds directly from parameter parsing into minting and deployment transactions without a final user confirmation despite performing multiple irreversible on-chain actions. In a blockchain context, this increases the chance of accidental execution, unintended spending, or deployment with incorrect configuration values.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal