ClawHub

Agent Sovereign Stack

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it handles wallet keys and sensitive memory files with too little protection or confirmation.

Review carefully before installing. Use only a fresh low-balance testnet wallet, never a primary wallet key. Inspect and redact every file that could be uploaded, assume uploaded memory and identity data may be exposed or hard to remove, and do not rely on the advertised encryption or signing until it is actually implemented. Verify all contract addresses and Foundry commands before allowing any transaction or treasury deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return None

    print("  🔨 Compiling and deploying...")
    result = subprocess.run([
        "forge", "create", str(contract_src) + ":AgentTreasury",
        "--rpc-url", rpc,
        "--private-key", private_key,
Confidence
93% confidence
Finding
result = subprocess.run([ "forge", "create", str(contract_src) + ":AgentTreasury", "--rpc-url", rpc, "--private-key", private_key, "--chain", chain_id, "--b

Tainted flow: 'req' from os.environ.get (line 54, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if data:
        req.add_header("Content-Type", "application/json")
    try:
        with urllib.request.urlopen(req, timeout=15) as resp:
            return json.loads(resp.read())
    except urllib.error.HTTPError as e:
        return {"error": f"HTTP {e.code}", "body": e.read().decode()[:200]}
Confidence
93% confidence
Finding
with urllib.request.urlopen(req, timeout=15) as resp:

Tainted flow: 'req' from os.environ.get (line 83, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
                    method="POST",
                )
                with urllib.request.urlopen(req, timeout=30) as resp:
                    result = json.loads(resp.read())
                    cid = result.get("cid") or result.get("Hash") or result.get("IpfsHash")
                    if cid:
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Tainted flow: 'private_key' from os.environ.get (line 340, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
return None

    print("  🔨 Compiling and deploying...")
    result = subprocess.run([
        "forge", "create", str(contract_src) + ":AgentTreasury",
        "--rpc-url", rpc,
        "--private-key", private_key,
Confidence
92% confidence
Finding
result = subprocess.run([ "forge", "create", str(contract_src) + ":AgentTreasury", "--rpc-url", rpc, "--private-key", private_key, "--chain", chain_id, "--b

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code claims to create a 'signed message envelope' and the module docstring suggests end-to-end encryption readiness, but messages are only hashed and then base64-encoded plaintext is uploaded. A content hash provides no authenticity or confidentiality, so recipients may trust spoofed, tampered, or exposed messages under false security assumptions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The docstring claims encrypted memory handling, but the code base64-encodes and uploads plaintext content without any encryption. This is dangerous because operators may rely on the documentation and unintentionally send sensitive memories and identity snapshots under a false assumption of confidentiality.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script automatically reads a private key from a local secrets file and then uses it for on-chain actions. In an agent-skill context, silently pulling credentials from a standard workspace location materially increases the risk of unintended signing operations and violates least surprise.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The docstring claims uploads go to FilStream/IPFS, but the implementation sends data to a hard-coded HTTP memory-store endpoint. This mismatch can mislead operators about where sensitive identity material is being transmitted and can cause unsafe trust decisions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill prominently advertises uploading SOUL.md, MEMORY.md, and identity snapshots to IPFS/decentralized storage, but it does not clearly warn that such storage is persistent, broadly retrievable, and difficult or impossible to delete once published. Because these files may contain sensitive agent or user data, the omission can lead users to irreversibly expose credentials, personal data, internal prompts, or operational memory.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires users to provide an ETH private key for blockchain actions, but the description does not include a strong warning about the risks of handling raw private keys or how they are used, stored, or protected. In an agent context, this is especially dangerous because users may paste high-value wallet keys into an automated workflow, creating a direct path to fund theft if the script logs, leaks, transmits, or mishandles the secret.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The bulk upload routine automatically collects current_identity.json, recent memory markdown files, and workspace files such as MEMORY.md and SOUL.md, then transmits them remotely without an explicit privacy warning or consent checkpoint. In an agent-memory context, these files are highly likely to contain sensitive operational context, identity data, or secrets, so silent exfiltration risk is substantial.

Missing User Warnings

High
Confidence
99% confidence
Finding
The default FilStream endpoint uses plain HTTP, so uploaded memory and identity data can be intercepted or modified by a network attacker. Because the skill handles agent memories and identity snapshots, lack of transport encryption creates serious confidentiality and integrity risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script uploads identity files from the workspace to a remote service without a confirmation step or clear warning at the moment of transmission. In this context those files may contain sensitive agent memory, identity, or user-related information, so silent external transmission is dangerous.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script uses the user's private key to register and update on-chain state immediately, without an explicit pre-broadcast confirmation. In an agent automation setting, this can trigger irreversible blockchain transactions and fees unexpectedly, especially when credentials are auto-loaded from disk.

Missing User Warnings

High
Confidence
98% confidence
Finding
Treasury deployment is a broadcasted contract creation using the user's signing key, yet there is no explicit approval gate before deployment. This is especially risky because deployment is expensive and irreversible, and the script is framed as a one-command onboarding flow that may encourage blind execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Silently reading a private key from a local secrets file lacks user-facing disclosure at the point of access. In a skill context, secret consumption should be explicit because users may not expect merely running onboarding to authorize credential use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal