ClawHub

Sponge Wallet

Security checks across malware telemetry and agentic risk

Overview

This doc-only wallet skill is transparent about many features, but it delegates broad real-money actions to an agent, including crypto transfers, trading, auto-paid web fetches, and Amazon checkout, without clear per-action safeguards.

Install only if you are comfortable giving an agent durable authority over wallet funds, paid API requests, trading, and possible Amazon purchases. Prefer testnet or low-balance accounts, avoid agent-first registration for real funds, require explicit confirmation for every transfer, swap, bridge, withdrawal, trade, x402 fetch, or checkout, and rotate or revoke the stored API key when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest and description present the skill as crypto-wallet management, but the documented capability set materially extends to Amazon purchasing and arbitrary paid-API fetching. This scope mismatch can mislead users and higher-level agents into granting trust or invoking actions they would not expect from a finance wallet skill, increasing the chance of unauthorized spending or unsafe delegation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The x402_fetch feature allows arbitrary external HTTP requests and automatically pays on 402 responses using wallet funds. That is far broader than wallet management and creates a powerful spend-and-exfiltration primitive if an attacker can influence the URL, method, headers, or body.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Amazon checkout enables real-world purchases that are unrelated to the declared wallet-management purpose. This hidden commerce capability raises the risk of unauthorized purchases, especially when embedded in an agent skill that users may trust only for crypto operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes destructive financial actions such as transfers, withdrawals, order placement, bridge operations, and purchases without consistently requiring user confirmation or warning about irreversible loss. In an agent setting, this omission increases the likelihood that dangerous actions are triggered without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The quick reference advertises x402 fetch as 'auto-pay 402s' without an upfront warning that merely fetching a URL may spend funds automatically. This creates a high risk of accidental payment, especially if downstream prompts or untrusted inputs can influence the target URL.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal