ClawHub

risk art agent

Security checks across malware telemetry and agentic risk

Overview

This is a mostly disclosed Bankr crypto and LLM integration, but it can control live wallet actions, raw transaction signing/submission, and persistent automations in ways users should review carefully.

Install only if you intend to use Bankr for live crypto and LLM gateway operations. Prefer a dedicated low-balance wallet, start with read-only keys, enable IP restrictions where possible, avoid raw sign/submit unless you can decode the transaction, verify chain and recipient every time, avoid putting live keys in shell profiles, and regularly review or cancel automations and auto top-up settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest description materially understates the skill's effective scope by omitting profile-management features that appear later in the document. Scope mismatches are dangerous in agent ecosystems because routing, approval, and user trust decisions may rely on the manifest summary, causing users or orchestrators to invoke broader capabilities than expected.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
Public profile management is a materially different capability from trading and LLM gateway access, yet it is bundled into the same skill without clear justification or separation. That broadens the attack surface and creates an opportunity for unintended external publication of project metadata or reputation-impacting content through a skill the user may only trust for wallet operations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The description is extremely broad and natural-language-driven, covering trading, transfers, signing, raw transaction submission, leverage, betting, token deployment, and LLM access. In agentic systems, such broad invocation criteria can cause accidental routing or activation on ambiguous user requests, which is especially dangerous because the skill includes irreversible financial actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises high-risk financial capabilities up front but does not pair them with an equally prominent warning that actions may move funds, sign transactions, or create leveraged positions. Users and calling agents may therefore underestimate the consequences of invocation, increasing the chance of unsafe or uninformed use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow examples include actionable trading prompts such as token swaps without an upfront warning that natural-language submissions may trigger real on-chain, asset-changing operations. In a crypto trading skill, this omission materially increases the risk of accidental or socially engineered trades because users and integrators may treat examples as informational rather than transactional.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation encourages users to configure automated limit, stop, DCA, TWAP, and scheduled trading actions, but it does not clearly warn that these automations can execute trades without additional real-time confirmation and directly move or risk user funds. In a crypto trading skill with wallet and execution capabilities, omission of explicit financial-risk and auto-execution warnings can lead users to authorize persistent actions they do not fully understand, increasing the chance of unintended losses or excessive exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The scheduled commands section presents recurring command execution as a convenience feature but does not warn that repeated scheduled actions can expose portfolio data, repeatedly query sensitive account information, or trigger consequential actions over time if non-read-only commands are scheduled. In the context of a crypto agent that can trade, transfer, and manage assets, this omission makes the feature more dangerous because scheduling amplifies the effect of mistakes or ambiguous commands.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs users to add `ANTHROPIC_AUTH_TOKEN` and the gateway base URL to `~/.zshrc` or `~/.bashrc`, which persists a live API credential in plaintext shell startup files without warning about local exposure risks. Those files are commonly backed up, synced, inspected by support tools, or left with broad read permissions, increasing the chance of credential theft and unauthorized use of the Bankr LLM gateway.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The transfer examples encourage sending NFTs to arbitrary wallet addresses, ENS names, or social handles without an explicit warning that transfers are typically irreversible and that recipient resolution mistakes can permanently lose assets. In a crypto trading agent, users may act directly from natural-language prompts, so omitting recipient-verification guidance materially increases the chance of accidental loss or social-engineering-assisted misdelivery.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The buy examples instruct users to purchase NFTs directly but do not explicitly warn that doing so will spend wallet funds, incur gas fees, and usually cannot be reversed after on-chain confirmation. Because this skill is designed to facilitate real crypto transactions through natural language, the lack of friction or clear risk disclosure can lead to unintended purchases and financial loss.

Missing User Warnings

High
Confidence
95% confidence
Finding
This section describes placing bets and especially automatic bridging in a way that normalizes fund-moving behavior without an explicit warning that real user assets may be transferred across chains and used in financial transactions. In the context of a crypto trading and betting agent, that omission is dangerous because users may not realize a natural-language request can trigger irreversible or hard-to-reverse onchain actions, increasing the risk of unintended loss, fees, slippage, and cross-chain fund movement.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example triggers include very broad, everyday phrases such as 'Show my portfolio' and 'What's my total balance?' that can plausibly appear in normal conversation and may cause the bankr skill to activate when the user did not explicitly intend to invoke a crypto-wallet capability. In the context of a financial skill tied to wallet balances across multiple chains, accidental activation can expose sensitive portfolio information and create a confusing path toward higher-risk financial actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The EVM trigger examples are broad enough that a general user request like 'create a token' or 'launch new token' could activate high-risk blockchain actions without clearly establishing chain, costs, or transaction consequences. In a crypto trading and wallet skill that can deploy tokens and submit transactions, ambiguous invocation materially increases the chance of unintended asset-affecting actions.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The guidance 'Just say "Launch TOKEN_NAME"' is an especially broad trigger for an irreversible on-chain token launch, making accidental activation more likely from casual or exploratory language. Because this skill operates in a live crypto context across multiple chains and supports transaction signing/submission, minimal trigger requirements are dangerous and can lead to unintended contract deployment and fee expenditure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file encourages deployment and fee-claim actions with convenience-oriented phrasing but does not pair those calls to action with strong warnings that blockchain transactions are irreversible, may spend gas, create permanent fee arrangements, or alter asset rights. In a wallet-connected crypto agent, omission of these warnings can cause users to authorize actions they do not fully understand, leading to financial loss or permanent on-chain state changes.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The reference explicitly states that if no chain is specified, Bankr will automatically choose the 'most appropriate' chain and even prefers Base by default. In a skill that can execute real trades and bridges across multiple networks, this ambiguity can cause users to transact on an unintended chain, leading to wrong-asset purchases, inaccessible funds, unexpected fees, or bridging mistakes.

Missing User Warnings

High
Confidence
97% confidence
Finding
The document provides imperative trading and bridging examples but does not clearly warn that these prompts may trigger real on-chain transactions affecting wallet balances. In the context of a crypto trading agent with wallet access, this omission is dangerous because users may interpret the examples as informational rather than executable, increasing the risk of unintended trades, transfers, bridging, and financial loss.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Sign a plain text message
curl -X POST "https://api.bankr.bot/agent/sign" \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"signatureType": "personal_sign", "message": "Hello, Bankr!"}'
Confidence
86% confidence
Finding
curl -X POST "https://api.bankr.bot/agent/sign" \ -H "X-API-Key: $API_KEY" \ -H "Content-Type: application/json" \ -d '{"signatureType": "personal_sign", "message": "Hello, Bankr!"}' # Sign EIP

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# Sign a plain text message
curl -X POST "https://api.bankr.bot/agent/sign" \
  -H "X-API-Key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"signatureType": "personal_sign", "message": "Hello, Bankr!"}'
Confidence
86% confidence
Finding
https://api.bankr.bot/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Store keys in environment variables (`BANKR_API_KEY`, `BANKR_LLM_KEY`), never in source code
- Add `~/.bankr/` and `.env` to `.gitignore` — the CLI stores credentials in `~/.bankr/config.json`
- Test with small amounts on low-cost chains (Base, Polygon) before production use
- Use `waitForConfirmation: true` with `/agent/submit` — transactions execute immediately with no confirmation prompt
- Rotate keys periodically and revoke immediately if compromised at [bankr.bot/api](https://bankr.bot/api)

**Reference**: [references/safety.md](references/safety.md)
Confidence
95% confidence
Finding
no confirmation

Session Persistence

Medium
Category
Rogue Agent
Content
Auto-install the Bankr provider into your OpenClaw config:

```bash
# Write config to ~/.openclaw/openclaw.json
bankr llm setup openclaw --install

# Preview the config without writing
Confidence
93% confidence
Finding
Write config to ~/.openclaw/openclaw.json bankr llm setup openclaw --install # Preview the config without writing bankr llm setup openclaw ``` This writes the following provider config (with your ke

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal