ClawHub

Bracketsbot Skill

Security checks across malware telemetry and agentic risk

Overview

This skill coherently supports generating, reviewing, and preparing BracketsBot bracket submissions, with some disclosed but nontrivial wallet, network, and local-state behaviors users should understand.

Install only if you intend to use BracketsBot bracket workflows. Use coded policy modules only from files you wrote or trust, treat share links as uploading bracket picks to the configured BracketsBot frontend/API, and always verify chainId, destination contract, value, and data before signing with Bankr or any wallet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The walk-run-policy command explicitly accepts a developer-provided module path and passes it to a downstream script for execution. That is a real arbitrary code execution surface: if an agent, user, or untrusted input can influence policyModule, the skill can execute attacker-controlled JavaScript on the host, which exceeds the stated bracket-generation scope.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script's stated purpose is to prepare and print an EVM transaction request, but it also performs an unrelated write operation that mutates a separate state file by deleting `draftToken` and `draftApiUrl`. This is dangerous because it expands the script's authority from read/encode-only behavior into destructive state manipulation, which can silently invalidate in-progress workflows, erase useful credentials/state, and surprise users or downstream automation.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The comment says only draft metadata is cleared, but the code deletes `draftToken`, which is a credential-like value rather than mere metadata. This mismatch is risky because it hides a more sensitive side effect from reviewers and users, making security-impacting behavior easier to miss and increasing the chance of accidental credential destruction or workflow disruption.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script performs an outbound PATCH request as a side effect of a local bracket-pick workflow, using draft session metadata to decide the destination. Because `meta.draftApiUrl` comes from persisted metadata rather than a fixed allowlisted endpoint, a crafted or tampered picks metadata file can cause unexpected external network access and data submission.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code sends HTTP PATCH requests to a metadata-controlled URL without verifying that the URL is trusted or belongs to the intended BracketsBot service. This enables SSRF-like behavior or unintended exfiltration of bracket state if an attacker can influence `meta.draftApiUrl`, which is more dangerous because the skill's stated purpose is local bracket generation/validation, not arbitrary network interaction.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script loads and executes a module from an environment-controlled path via dynamic import, which enables arbitrary JavaScript execution in the process context. In an agent skill, this is broader than necessary for bracket generation and becomes dangerous if an attacker can influence environment variables, configuration, or deployment inputs, because the imported module can read files, exfiltrate secrets, or modify outputs.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes unsigned transaction data to a predictable path under /tmp and then immediately submits it through a wallet CLI with no user confirmation step. In a multi-user or shared environment, temporary-file races, symlink attacks, or accidental reuse of stale transaction data could cause unintended transaction submission or disclosure of transaction details.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits bracket update data off-host without clear user-facing disclosure in this file, and the destination is derived from metadata. Hidden outbound transmission increases security and privacy risk because users may expect a local bracket utility, while a tampered metadata file can redirect updates to an attacker-controlled endpoint.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal