ClawHub

Fund Wallet

Security checks across malware telemetry and agentic risk

Overview

This skill provides bounded guidance for funding a Finance District wallet and does not contain hidden code, automatic transfers, or destructive behavior.

Install only if you trust the Finance District fdx CLI and want agent help funding that wallet. Before sending money, confirm the exact chain, token, and address, understand that crypto transfers can be irreversible, and use a small test transfer for first-time deposits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation description is very broad and includes generic phrases like 'how do I get funds?' and 'how do I add money?', which could cause the skill to trigger in ambiguous contexts. In a financial workflow, accidental invocation can steer users into funding actions or expose wallet deposit addresses when the user may have intended a different task, increasing the risk of unsafe or unintended money movement.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill provides operational instructions for funding by card onramp or direct transfer, but it does not present a prominent upfront warning that crypto transfers can be irreversible, chain selection mistakes can permanently lose funds, and exchange/onramp purchases may involve fees, delays, and compliance checks. Because this skill directly facilitates movement of financial assets, omission of these warnings makes user error more likely and can lead to irreversible loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal