ClawHub

Setup Stellar Contracts

Security checks across malware telemetry and agentic risk

Overview

The skill appears to support Stellar/Soroban development, but its setup guidance asks users to execute unverified remote installer scripts directly in their shell.

Review the installer commands carefully before using this skill. Prefer official package-manager or pinned release installation methods, verify checksums or signatures where available, and avoid running `curl | sh` commands unless you trust the source and understand that the script will run with your local user privileges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to install tooling by piping remotely fetched scripts directly into the shell, without any integrity verification, pinning to a reviewed artifact, or warning about the risk. If the upstream script, hosting path, or delivery channel is compromised, users could execute arbitrary code on their machine during setup.

External Script Fetching

Low
Category
Supply Chain
Content
Install the Rust toolchain (v1.84.0+) and the Soroban WASM target:

```bash
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
rustup target add wasm32v1-none
```
Confidence
98% confidence
Finding
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

External Script Fetching

Low
Category
Supply Chain
Content
Install the Stellar CLI:

```bash
curl -fsSL https://github.com/stellar/stellar-cli/raw/main/install.sh | sh
```

Create a new Soroban project:
Confidence
98% confidence
Finding
curl -fsSL https://github.com/stellar/stellar-cli/raw/main/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
Install the Rust toolchain (v1.84.0+) and the Soroban WASM target:

```bash
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
rustup target add wasm32v1-none
```
Confidence
97% confidence
Finding
| sh

Chaining Abuse

High
Category
Tool Misuse
Content
Install the Stellar CLI:

```bash
curl -fsSL https://github.com/stellar/stellar-cli/raw/main/install.sh | sh
```

Create a new Soroban project:
Confidence
98% confidence
Finding
| sh

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal