ClawHub

on-chain analytics for evm contract

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed smart-contract analytics helper that sends contract details to external analysis services without showing hidden local access or destructive behavior.

Use this for public EVM contract analytics. Before installing, be comfortable with a hosted Supabase/Dune-based service receiving the contract address, chain, and any ABI you provide, and with generated Dune queries or dashboards persisting externally. Avoid submitting private or proprietary ABI data unless that external processing and storage is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger guidance is broad enough that the skill could be invoked for general discussion about a contract, causing data to be sent to external services and potentially launching expensive or unnecessary analysis without clear user intent. In this skill, that risk is amplified because invocation can initiate multi-step third-party processing, AI-generated queries, and persistence of outputs on Dune/onchainwizard rather than a simple local lookup.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill does not clearly warn users that contract addresses, manually supplied ABIs, generated SQL queries, decoded tables, and analysis results are transmitted to and may be stored by third-party services. This creates a privacy and data-governance risk, especially when users provide unpublished ABIs or when generated artifacts are saved as named queries and shared dashboards on external platforms.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal