ClawHub

web5 cli

Security checks across malware telemetry and agentic risk

Overview

This Web5 CLI skill is mostly purpose-aligned, but it gives agents high-impact account, wallet, DID, and PDS write authority without enough safeguards around destructive actions and credentials.

Review before installing. Use only with disposable or test Web5 accounts until destructive workflows require explicit confirmation, token output is redacted, JWT handling is safer, and PDS write actions are clearly scoped and approved by the user.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The top-level docstring and usage text say the script creates an account, while the implementation actually deletes a PDS account and destroys the DID. In a destructive account-management tool, misleading documentation can directly cause operators to run the script under false assumptions, leading to irreversible data and identity loss.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The invocation scope is broad enough to match many general Web5, DID, wallet, and account tasks, which increases the likelihood of accidental activation in contexts involving sensitive keys, wallets, or account state. Because the skill includes state-changing and destructive operations, overbroad triggering materially raises the chance of unintended use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The destroy-account workflow instructs deletion of a PDS account and destruction of a DID, followed by removal of local account metadata, without an explicit confirmation step in that workflow. In a skill that may be executed by an autonomous or semi-autonomous agent, missing a mandatory user confirmation before irreversible actions creates a high risk of accidental account loss.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs account creation, blockchain transaction submission, and remote PDS writes immediately after parsing arguments, without any interactive confirmation or dry-run safeguard. In an agent or automation context, this increases the chance of unintended irreversible actions, including spending wallet funds or creating unwanted identities/accounts.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script prints the full userinfo object returned by account creation, which includes accessJwt and refreshJwt tokens. Anyone with access to stdout logs, terminal scrollback, CI output, or agent transcripts could reuse these credentials to access or refresh the new account session.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script passes the access JWT as a command-line argument to a subprocess. Command-line arguments are commonly visible to other local users via process listings, shell history, debugging tools, and system telemetry, which can leak bearer tokens and enable account compromise.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script performs irreversible actions—PDS account deletion and on-chain DID destruction—without any explicit confirmation prompt, dry-run mode, or safety interlock. In this skill context, the script is specifically designed to manage decentralized identity and wallet-linked resources, so accidental invocation can permanently destroy accounts and associated records.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal