ClawHub

Mint Club V2

Security checks across malware telemetry and agentic risk

Overview

This is a real crypto wallet/trading skill that is openly described, but it gives an agent power over real funds without enough safety scoping or warnings.

Install only if you are comfortable giving an agent access to a crypto wallet. Use a dedicated low-balance Base wallet, verify the mint.club-cli package and version independently, avoid entering a main private key, and require human approval before every trade, swap, transfer, token creation, or ERC-20 approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to generate or import a wallet private key and describes shell-executed trading, swapping, transfers, and token creation, but it does not clearly warn that this grants the agent the ability to move real funds. In an agent-skill context, this is dangerous because operators may install the skill without understanding that wallet secrets and transaction authority are being delegated to automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to place a raw private key directly on the command line or in environment storage without any warning about shell history, process inspection, local file exposure, or safer signing alternatives. In an agent-skill context, this is especially dangerous because users may follow the instructions verbatim and expose wallet credentials that enable full theft of on-chain assets.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill presents buy, sell, swap, create, and send commands as ready-to-run examples without warnings that blockchain transactions are irreversible, may incur slippage and routing losses, and can permanently transfer funds or deploy tokens. In an agent-oriented workflow, terse executable commands can encourage unsafe automation or accidental execution with real assets, increasing the chance of financial loss.

VirusTotal

51/51 vendors flagged this skill as clean.

View on VirusTotal