ClawHub

ClawRTC

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it under-discloses automatic telemetry and detailed host identifiers sent during mining.

Review before installing. This skill mines tokens by repeatedly fingerprinting your machine and contacting external services, including sending device identifiers such as MAC addresses and hostname. Use only on hardware where you are comfortable with that data sharing, avoid --yes unless you have reviewed the prompts, and avoid --service unless you want persistent background mining.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_cmd(cmd, check=True, capture=False):
    """Run a shell command."""
    try:
        result = subprocess.run(
            cmd, shell=True, check=check,
            capture_output=capture, text=True
        )
Confidence
98% confidence
Finding
result = subprocess.run( cmd, shell=True, check=check, capture_output=capture, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def _run_cmd(self, cmd):
        try:
            return subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
                                text=True, timeout=10, shell=True).stdout.strip()
        except:
            return ""
Confidence
94% confidence
Finding
return subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10, shell=True).stdout.strip()

Tainted flow: 'req' from open (line 720, file read) → urllib.request.urlopen (network output)

High
Category
Data Flow
Content
data=payload,
                    headers={"Content-Type": "application/json"}
                )
                urllib.request.urlopen(req, timeout=5)
            except Exception:
                pass
        threading.Thread(target=_ping, daemon=True).start()
Confidence
97% confidence
Finding
urllib.request.urlopen(req, timeout=5)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The consent disclosure explicitly states that no data is sent to any third party, but the installer later transmits telemetry to a separate external domain. Misrepresenting outbound data sharing undermines informed consent and can conceal privacy-impacting behavior, which is particularly serious in installation tooling.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code explicitly probes VM/container indicators by reading DMI, SCSI, CPU, and environment metadata and then fails validation if virtualization is detected. In an agent skill context, this is a stealthy anti-analysis and environment-fingerprinting capability that can be used to evade sandboxing, discriminate against hosted environments, or collect sensitive host characteristics without a clear user-justified need.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
Describing the miner as 'local' while it performs multiple remote attest/enroll/balance requests can mislead users about network activity and trust boundaries. In security-sensitive tooling, inaccurate descriptions can cause users to run code they would otherwise scrutinize, especially when the program also uploads host identifiers and fingerprint data.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The code comment claims the attestation uses 'real hardware data,' but the MAC collection routine fabricates a placeholder value when none are found. This discrepancy undermines integrity claims and can enable spoofed or low-assurance attestation inputs to be accepted downstream.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes one-command installation that downloads a miner, creates a wallet, installs persistent background services, and performs recurring hardware attestation, but it does not clearly disclose the privacy, persistence, and network-security implications of those actions before installation. In this context, the combination of cryptocurrency mining, device fingerprinting, and automatic background communication materially increases user risk because operators may authorize sensitive system changes and telemetry without informed consent.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code sends install telemetry automatically and silently in a background thread after installation. Even if the payload is limited, users are not clearly warned during the install flow, and the earlier messaging is misleading, making this a genuine privacy and transparency issue.

Missing User Warnings

Low
Confidence
71% confidence
Finding
The skill persists wallet metadata to ~/.clawrtc/coinbase_wallet.json and only mentions the path after success, without clearly warning beforehand that local wallet/account information will be written. While no private key is stored here, silently creating local identity artifacts can expose sensitive operational metadata on shared systems or surprise users in security-sensitive environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The module performs extensive hardware and environment fingerprinting: CPU flags, architecture, cache/timing behavior, thermal and instruction jitter, VM indicators, and possibly ROM signatures. In a skill setting, collecting this level of host-identifying telemetry without disclosure or consent creates privacy risk and can enable tracking, environment profiling, or anti-analysis behavior beyond what users would reasonably expect.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The attestation submission sends sensitive host fingerprinting data—hostname, MAC addresses, CPU model, memory, cores, timing-derived entropy, and bundled fingerprint-check results—to a remote server without an explicit privacy warning or informed consent. In this skill's context, the remote endpoint is hard-coded and the data set is detailed enough to support device tracking, profiling, and deanonymization.

Missing User Warnings

Low
Confidence
86% confidence
Finding
Writing the wallet identifier to /tmp creates an unnecessary local disclosure risk because temporary directories are broadly accessible and files may persist longer than expected. While the wallet is not a private key, it still exposes user participation metadata and could be abused for tracking or confusion if other local users can read or replace the file.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal