ClawHub

Bags

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Solana/Bags automation guide, but it handles wallet private keys, live financial transactions, long-lived credentials, and silent self-updates in ways users should review carefully.

Install only if you are comfortable letting an agent work with real Solana wallets and Bags credentials. Do not run the heartbeat self-update silently, use a low-value wallet, rotate or revoke exposed keys, review every transaction before signing, and avoid storing or passing private keys through shell variables when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (35)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The fee-claim flow instructs exporting the wallet's private key from the service and handling it in a shell variable, which materially expands the trust boundary beyond simple fee claiming. Even if intended for legitimate signing, private-key export creates a high-risk credential exposure path through shell history, process inspection, logs, crashes, or downstream tooling compromise.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The heartbeat routine goes beyond passive status checking by silently downloading remote content and overwriting local skill files. This creates an unreviewed supply-chain and self-modifying behavior: if the remote endpoint is compromised or content changes unexpectedly, the agent can ingest new instructions without human approval.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The complete script includes a self-update block that fetches multiple markdown files from the network and replaces local copies during a periodic run. Because these files define future agent behavior, this is effectively self-modification from a remote source and can turn a benign heartbeat into a code/instruction delivery channel.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs users to export a wallet private key from a remote API and pass it into a local signing script. Exporting private keys dramatically expands the attack surface: the key can be exposed via shell history, process arguments, logs, memory inspection, or compromise of the local environment, and this goes beyond normal quote/swap usage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly instructs users to save a 365-day JWT and API key in plaintext JSON under the home directory. Although it applies chmod 600, that only limits other local users and does not protect against local malware, backups, shell access, or accidental disclosure; the risk is heightened because the token lifetime is very long.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file repeatedly encourages autonomous agents to launch tokens, trade, and claim fees using real funds while explicitly framing experimentation and rapid action as desirable. Because it lacks prominent warnings about financial loss, irreversible on-chain transactions, legal/compliance considerations, and the need for human confirmation, it can push an agent toward unsafe real-money behavior in a context where mistakes have immediate financial consequences.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The instructions tell users to sign and broadcast blockchain transactions but do not provide a strong, explicit warning that on-chain actions can be irreversible and may transfer value or execute unintended effects if the transaction payload is not verified. In an agent skill context, this is more dangerous because users may automate signing flows without independently decoding or reviewing the transaction contents.

Missing User Warnings

High
Confidence
95% confidence
Finding
This section instructs users to place a private key into an environment variable and pass it to a local script, but only includes a brief cleanup note rather than a strong warning about credential exposure. Private keys in environment variables are commonly exposed through shell history, crash dumps, debugging tools, subprocess inheritance, and host telemetry, making compromise of the wallet possible.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The invocation guidance is broad enough to trigger routine execution in ordinary situations, increasing how often credentials are loaded, network calls are made, and state is modified. While not a direct exploit by itself, overbroad triggering expands exposure to the other risky behaviors in the skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs silent overwriting of local files from remote content without prior user warning or consent. Hidden modification of local instructions is dangerous because users may believe they are running a read-only status check while the skill can change future behavior persistently.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill reads JWT and API credentials from disk and uses them in external requests, but the markdown framing does not clearly warn the user that sensitive tokens will be accessed and transmitted. In an agent setting, undisclosed credential use materially increases the risk of accidental exposure or misuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide instructs the user to export a wallet private key and immediately use it to sign live Solana transactions, but it does not provide strong warnings about secret handling, transaction review, or the irreversible financial consequences of submission. In an agent skill context, normalizing private-key export into shell variables materially increases the chance of credential exposure, accidental logging, reuse, or unauthorized signing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The complete script automates token creation, fee-share setup, optional initial buy, signing, and broadcast of on-chain transactions without an upfront warning that it will spend funds and create permanent public state. In an agent or copy-paste workflow, this raises the risk of users executing the script without understanding that it can consume SOL, create a live token, and submit irreversible transactions.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad phrases such as "claim fees," "launch token," and "check bags" that can overlap with ordinary user requests and automatically route users into a high-risk DeFi skill. In this context, the skill can authenticate, manage wallets, trade, and launch tokens, so unintended invocation could lead to sensitive financial actions being proposed or initiated without clear user intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The description advertises wallet management, fee claiming, trading, and token launching but provides no warning that these are sensitive financial operations with risks such as asset loss, irreversible transactions, scams, and unauthorized launches. Because this is a crypto/DeFi skill operating on Solana, the absence of user-facing risk disclosure increases the chance that users or agents engage in dangerous actions without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly documents a wallet export endpoint that exports a private key for signing, but it does not present a strong, adjacent warning that using this capability exposes the most sensitive credential in the system. In an agent context, normalizing private-key export materially increases the chance that an LLM or automation layer retrieves, mishandles, logs, or transmits keys, leading to irreversible theft of on-chain funds.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promotes trading, claiming fees, and token launching as core capabilities without an upfront warning that blockchain actions are irreversible and may result in permanent loss of funds. In an agent-driven environment, this omission can cause users or automated systems to treat risky financial operations as routine, increasing the likelihood of unintended transactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The swap instructions progress from quote retrieval to private-key export, signing, and live transaction broadcast without a clear warning that this performs irreversible on-chain actions and handles highly sensitive key material. In an agent skill context, omission of such warnings increases the chance of unsafe automation or accidental execution with real funds.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs users to modify a sensitive credential store by adding wallet data into ~/.config/bags/credentials.json, but it does not warn about integrity, permission, or corruption risks to that file. Mixing mutable operational state with secrets increases the chance of accidental exposure, improper permissions, and downstream trust in attacker-controlled values if the file is later consumed by scripts.

Missing User Warnings

High
Confidence
95% confidence
Finding
The transfer and transaction submission instructions enable irreversible movement of funds, but the nearby guidance does not prominently warn users to verify recipient, amount, network, and transaction contents before execution. In a wallet-management skill, omission of explicit high-visibility warnings materially increases the risk of accidental loss of assets.

External Transmission

Medium
Category
Data Exfiltration
Content
if [ "$BAGS_TX_COUNT" -gt 0 ]; then
  # Export private key
  BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
    -H "Content-Type: application/json" \
    -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
    | jq -r '.response.privateKey')
Confidence
98% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
BAGS_LAUNCH_TX=$(echo "$BAGS_LAUNCH_RESPONSE" | jq -r '.response.transaction')

# Export private key
BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
  -H "Content-Type: application/json" \
  -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
  | jq -r '.response.privateKey')
Confidence
98% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
BAGS_RPC_URL="https://gene-v4mswe-fast-mainnet.helius-rpc.com"
  
  BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
    -H "Content-Type: application/json" \
    -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
    | jq -r '.response.privateKey')
Confidence
98% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
BAGS_MAX_RETRIES=10

echo "📡 Signing and submitting..."
BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
  -H "Content-Type: application/json" \
  -d "{\"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET\"}" \
  | jq -r '.response.privateKey')
Confidence
99% confidence
Finding
curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
BAGS_WALLET_ADDRESS="7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU"

curl -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \
  -H "Content-Type: application/json" \
  -d "{
    \"token\": \"$BAGS_JWT_TOKEN\",
Confidence
98% confidence
Finding
curl -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export \ -H "Content-Type: application/json" \ -d "{ \"token\": \"$BAGS_JWT_TOKEN\", \"walletAddress\": \"$BAGS_WALLET_ADDRES

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal