ClawHub

X Layer Execution Guard

Security checks across malware telemetry and agentic risk

Overview

This skill is disclosed as a crypto execution guard, but it can trigger real wallet swaps and passes broad local credentials into a subprocess without a strong runtime approval boundary.

Install only if you intentionally want an agent-accessible crypto guard that can also run real wallet swaps. Use proof or --no-execute mode by default, avoid setting EXECUTION_GUARD_EXECUTION_MODE=agentic-wallet globally, review any .env/.env.local files in the working directory, and only run live mode with a wallet and amounts you are prepared to risk.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _run_onchainos(self, args: List[str], timeout: int) -> Dict[str, Any]:
        try:
            completed = subprocess.run(
                [self._onchainos_bin(), *args],
                env=self._onchainos_env(),
                text=True,
Confidence
88% confidence
Finding
completed = subprocess.run( [self._onchainos_bin(), *args], env=self._onchainos_env(), text=True, capture_output=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill instructs the agent to run local Python scripts, install dependencies, access environment variables containing API credentials, read and write files, use networked OnchainOS APIs, and invoke shell commands, yet no explicit permissions are declared. This creates a capability/consent mismatch: a caller or platform may treat the skill as low-privilege while it can perform sensitive actions including optional live wallet execution and credential use.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill reads process environment plus local credential files (.env, .env.local, ~/.config/onchainos.env) and forwards them into the subprocess environment. This unnecessarily broad credential loading increases the blast radius if the called CLI is malicious, compromised, or simply logs or leaks its environment.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This code path can perform a real on-chain swap by spawning the external onchainos CLI when execution_mode is agentic-wallet. In an agent skill context, enabling asset-moving operations through a subprocess is inherently dangerous because it turns model/tool decisions into live wallet actions with limited in-function safety interlocks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The live execution path proceeds directly from a favorable verdict to wallet execution without any user-facing confirmation or secondary authorization at the point of asset movement. In an autonomous-agent setting, that increases the risk of unintended or manipulated trades causing direct financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill silently loads credentials from local files and ambient environment without clear disclosure at the execution boundary. In a skill ecosystem, hidden credential sourcing is risky because operators may not realize that invoking the skill can activate locally configured wallets or API identities.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal