ClawHub

Alchemy Official

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Alchemy API guide, but it includes wallet private-key handling and automatic USDC payment flows without strong consent or spending controls.

Review before installing. Prefer an Alchemy API key or a testnet/dedicated low-balance wallet, do not paste private keys into chat or source files, and require manual approval for every payment, transaction broadcast, and webhook change.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrases are broad enough to match ordinary user requests such as general blockchain, NFT, portfolio, or price questions. In an agent environment, overbroad activation can cause unintended invocation of a skill that performs external calls and may expose wallet-related data or steer the agent toward operational actions without clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises write-capable RPC calls and webhook creation alongside read operations without an explicit warning or consent boundary. In an autonomous or semi-autonomous agent setting, this increases the risk that a user request about blockchain data could be interpreted as permission to perform state-changing or externally impactful actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to submit wallet addresses, holdings, NFT ownership, and transaction history to a third-party API without any privacy warning or consent guidance. While blockchain data is public, aggregating addresses with portfolio and activity queries can expose sensitive financial profiling information and create unnecessary privacy leakage for users who may not realize this data is being centralized by an external provider.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes `eth_sendRawTransaction`, which broadcasts a signed transaction to a blockchain and can cause irreversible asset movement or contract interaction. In a general-purpose agent skill, documenting a write-capable method without an explicit warning about permanence, signing requirements, and user confirmation increases the risk that an agent or user will treat it like a routine read call.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The recipe instructs users to send wallet addresses and an API key to a third-party service without any privacy or data-handling warning. While this is expected for an API integration, the omission is still a real security/privacy issue because wallet addresses can reveal holdings and behavior, and API keys may be exposed through shell history, logs, or copied commands.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation demonstrates deriving an account directly from a raw private key string without any warning about secret-handling risks. In an agent skill context, users may copy real keys into code, logs, prompts, or hosted runtimes, increasing the chance of credential theft and full wallet compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow instructs users to persist a reusable SIWE token to `siwe-token.txt` and reuse it across requests, but only mentions adding the file to `.gitignore`. A SIWE token used in an `Authorization` header functions as a bearer credential for gateway access, so storing it in plaintext on disk without stronger warnings or handling guidance increases the risk of credential leakage via local compromise, shell history, backups, logs, or accidental sharing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The payment flow tells users to generate a payment signature and retry the request after a 402 response, but it does not clearly foreground that this step authorizes a real USDC payment tied to the wallet private key. In a command-line workflow, insufficient warning can cause users or downstream agents to sign and submit payment-related data without informed consent, especially when the script is presented as routine error handling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation instructs users to use wrappers that automatically handle 402 payment challenges and sign payment requests, but it does not prominently warn that real funds may be spent as part of ordinary API usage. In an agent skill context, this is dangerous because an autonomous system may trigger paid retries without explicit operator awareness or per-request consent, leading to unexpected financial loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The described flow explicitly says the client will read 402 requirements, create a signed USDC payment, and retry automatically, yet it omits a strong warning about financial impact, budget controls, or consent. In a skill used by agents, this increases the risk of silent or repeated micro-payments accumulating without the user realizing the tool is authorizing blockchain payments.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions tell an agent to decode a 402 challenge, sign an x402 payment payload, and resend it as `Payment-Signature`, explicitly authorizing a real USDC transfer via EIP-3009. Because the document provides no requirement for explicit user consent, amount/network confirmation, recipient verification, or spending limits, an agent following it could autonomously authorize loss of funds in response to an external service challenge.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The rule instructs users to place a wallet private key directly into an environment variable or `.env` file, which normalizes handling a highly sensitive secret in ways that are easy to leak through shell history, process inspection, logs, backups, misconfigured `.gitignore`, or accidental commits. Although the file says not to paste keys in chat and not to store them in `wallet.json`, it does not sufficiently warn about the risks of long-lived plaintext secret storage or recommend safer secret-management mechanisms.

External Transmission

Medium
Category
Data Exfiltration
Content
### Request

```bash
curl -s -X POST https://eth-mainnet.g.alchemy.com/v2/$ALCHEMY_API_KEY \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
Confidence
84% confidence
Finding
curl -s -X POST https://eth-mainnet.g.alchemy.com/v2/$ALCHEMY_API_KEY \ -H "Content-Type: application/json" \ -d

VirusTotal

3/66 vendors flagged this skill as malicious, and 63/66 flagged it as clean.

View on VirusTotal