ClawHub

Exoskeletons

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent onchain identity integration, but users should treat its Bankr transaction examples and API key handling as sensitive.

Install only if you intend to let the agent prepare or submit Exoskeletons onchain transactions. Review transaction contents before broadcast, keep BANKR_API_KEY out of logs and command history, prefer a dedicated limited-funds wallet or scoped key, and remember that messages or storage written onchain are public and permanent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example submits a transaction to a third-party API using an API key in a shell command but does not warn that environment variables, command history, CI logs, or copied commands may expose the credential. In a skill intended for agents, this creates a realistic risk of secret leakage and unauthorized transaction submission if users follow the example verbatim.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The workflow example constructs a curl command with the API key interpolated directly into a subprocess command string. This increases exposure beyond ordinary documentation because secrets may appear in process listings, crash logs, debug output, shell tracing, or command auditing, enabling credential theft and misuse of the signing/submission service.

External Transmission

Medium
Category
Data Exfiltration
Content
Submit the transaction via Bankr:
```bash
curl -s -X POST https://api.bankr.bot/agent/submit \
  -H "X-API-Key: $BANKR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"transaction": TX_JSON}'
Confidence
83% confidence
Finding
curl -s -X POST https://api.bankr.bot/agent/submit \ -H "X-API-Key: $BANKR_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**Submit using Bankr's direct API** (recommended):

```bash
curl -s -X POST https://api.bankr.bot/agent/submit \
  -H "X-API-Key: $BANKR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"transaction": TX_JSON}'
Confidence
83% confidence
Finding
curl -s -X POST https://api.bankr.bot/agent/submit \ -H "X-API-Key: $BANKR_API_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
function submitTx(tx) {
  const result = JSON.parse(execSync(
    `curl -s -X POST https://api.bankr.bot/agent/submit ` +
    `-H "X-API-Key: ${process.env.BANKR_API_KEY}" ` +
    `-H "Content-Type: application/json" ` +
    `-d '${JSON.stringify({ transaction: tx })}'`
Confidence
96% confidence
Finding
curl -s -X POST https://api.bankr.bot/agent/submit ` + `-H "X-API-Key: ${process.env.BANKR_API_KEY}" ` + `-H "Content-Type: application/json" ` + `-d

External Transmission

Medium
Category
Data Exfiltration
Content
Submit the transaction via Bankr:
```bash
curl -s -X POST https://api.bankr.bot/agent/submit \
  -H "X-API-Key: $BANKR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"transaction": TX_JSON}'
Confidence
83% confidence
Finding
https://api.bankr.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
**Submit using Bankr's direct API** (recommended):

```bash
curl -s -X POST https://api.bankr.bot/agent/submit \
  -H "X-API-Key: $BANKR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"transaction": TX_JSON}'
Confidence
83% confidence
Finding
https://api.bankr.bot/

External Transmission

Medium
Category
Data Exfiltration
Content
function submitTx(tx) {
  const result = JSON.parse(execSync(
    `curl -s -X POST https://api.bankr.bot/agent/submit ` +
    `-H "X-API-Key: ${process.env.BANKR_API_KEY}" ` +
    `-H "Content-Type: application/json" ` +
    `-d '${JSON.stringify({ transaction: tx })}'`
Confidence
96% confidence
Finding
https://api.bankr.bot/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal