ClawHub

Sentio Processor

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Sentio processor skill whose examples are purpose-aligned, though users should treat wallet-level analytics as sensitive.

Install this only if you intend to build Sentio blockchain processors. Before copying examples into production, review whether wallet addresses, account IDs, amounts, rates, points, and webhook exports are necessary; prefer aggregated or pseudonymous data where possible and keep Sentio API/OAuth credentials scoped to the intended project.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example emits a user-linked identifier (`distinctId: event.args.recipient`) together with specific on-chain trading activity, which can directly facilitate wallet-level profiling and behavior tracking when copied into production processors. In documentation for analytics/indexing code, omission of any privacy warning or minimization guidance increases the likelihood that developers will reproduce privacy-invasive logging by default.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The lending examples log borrower/supplier wallet identifiers alongside sensitive financial actions such as supply and borrow amounts, reserves, and rates. Even though the source data is on-chain, presenting this as a standard pattern without disclosure normalizes creation of enriched user activity datasets that materially increase privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Sui examples emit sender identifiers tied to pool creation and swap activity, enabling straightforward linkage of wallet addresses to transaction behavior. In a processor-pattern reference, this is risky because it encourages developers to adopt privacy-invasive observability patterns without any warning, minimization advice, or discussion of downstream data handling obligations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples repeatedly emit wallet addresses, account IDs, senders, recipients, and other user-linked identifiers via `distinctId` and event payloads without any privacy notice, minimization guidance, or warning about downstream analytics implications. In a blockchain analytics skill this is contextually common, but publishing production examples that normalize direct user identifier emission can lead developers to collect linkable personal data unnecessarily and may create compliance, consent, and data-retention risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal