ClawHub

Near Multi Account Manager

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real NEAR account manager, but it ships with weak wallet-key safeguards and unrelated authenticated marketplace scripts that users should review before installing.

Only install after reviewing the wallet risks. Use a strong unique NEAR_SKILL_KEY before adding accounts, avoid storing valuable private keys until the fallback key is removed, require explicit confirmation before transfers, and remove or ignore the unrelated market.near.ai scripts with the exposed token. The exposed token should be revoked by the publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (24)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script probes multiple remote job-related API endpoints and attempts a deliverable submission, behavior that is unrelated to the declared purpose of NEAR multi-account management. The mismatch strongly suggests hidden functionality for interacting with an external marketplace using embedded credentials, which could enable unauthorized actions on a third-party account.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file performs authenticated HTTPS requests to market.near.ai for job and deliverable operations, which is unjustified by the skill's advertised account-management role. In context, this hidden external integration expands the skill's capabilities beyond user expectations and can be used to manipulate external resources or exfiltrate operational data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file contains standalone code that makes an authenticated request to an external job-status endpoint using a hardcoded bearer token, and it is unrelated to the stated purpose of NEAR multi-account management. That mismatch strongly suggests hidden functionality and creates risk of unauthorized external communication, credential misuse, and covert data or capability abuse.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code implements marketplace job-monitoring behavior against market.near.ai that has no justified relationship to encrypted credential storage, account switching, or balance aggregation. In the context of a wallet/account-management skill, unrelated authenticated external access is especially dangerous because it indicates hidden capability that could be used to exfiltrate information, abuse third-party services, or operate outside user expectations.

Scope Creep

High
Confidence
97% confidence
Finding
The manifest declares no capabilities even though the skill clearly performs sensitive local credential storage, account management, and NEAR network interactions. This creates a dangerous mismatch between declared permissions and actual behavior, which can bypass operator expectations, weaken sandboxing/policy enforcement, and obscure the real risk of handling private keys and initiating transfers.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata advertises account management and balance aggregation, but the code also exposes a live on-chain transfer primitive that can move funds irreversibly. This is dangerous because an agent or user may invoke the skill under the assumption that it is read/manage-only, while the hidden transactional capability materially expands the blast radius from information handling to asset loss.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The function is named and documented as retrieving transaction history, but it only returns account state and an explorer link. This mismatch can mislead callers, cause downstream security logic or auditing workflows to rely on incomplete data, and hide the fact that no actual history verification occurred.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file does not implement the advertised NEAR multi-account functionality at all; instead it submits a deliverable to an external service using a hardcoded bearer token. This mismatch is a strong indicator of hidden, undeclared behavior and makes the skill materially more dangerous because users expecting local account-management features may unknowingly run code that performs unauthorized network actions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code contains an external submission capability unrelated to the skill's stated purpose, which is a classic sign of covert or unauthorized functionality. In the context of a security-sensitive multi-account wallet skill, any unrelated outbound action is especially risky because the skill may have access to credentials, account metadata, or user trust that can be abused.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This script exfiltrates deliverable metadata to an external endpoint and includes an authorization bearer token unrelated to the advertised NEAR multi-account management functionality. The mismatch between the stated skill purpose and the actual network submission behavior is a strong indicator of hidden, unauthorized outbound communication that could leak secrets or enable unauthorized actions against a third-party service.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file adds a capability to POST data to an external job endpoint even though such behavior is not justified by a NEAR account management tool. In this context, hidden external submission logic is especially dangerous because users may grant the skill access to sensitive wallet or account context, creating risk of covert data leakage or abuse of privileged environment data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file does not implement NEAR multi-account management at all; instead, it posts a deliverable to an external marketplace endpoint using a hardcoded bearer token. That mismatch between declared skill purpose and actual behavior is a strong indicator of hidden exfiltration or unauthorized submission logic, especially because it performs a network action to a third-party service unrelated to the advertised functionality.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code contains an unrelated capability to submit data to market.near.ai, which is not justified by the skill's stated purpose of secure account management. In security-sensitive software handling credentials and accounts, hidden unrelated network functionality materially increases risk because it can be repurposed for data exfiltration, unauthorized actions, or supply-chain abuse.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The README documents a transfer capability for mainnet funds but does not clearly warn that blockchain transfers are irreversible and can permanently move assets if the recipient or amount is wrong. In a wallet/account-management skill, omitting that warning increases the chance of user error and unsafe automation around real-value transactions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README states that the encryption key defaults to a built-in key, which means multiple installations may share the same secret or rely on a recoverable constant. For a skill storing encrypted private keys, this can nullify the protection of local credential storage because anyone who knows or extracts the built-in key may decrypt all stored account secrets.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill promotes NEAR transfers but does not clearly warn that transfers are irreversible and move real value, which can mislead users into invoking destructive actions without understanding the risk. In a wallet-management context, missing risk disclosure increases the chance of accidental loss, phishing-style social engineering through the skill interface, or unsafe automation of fund movement.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script issues a POST request to a remote deliverable endpoint that can create or modify remote state without any warning, consent, or approval step from the user. Silent outbound writes are dangerous because they can perform unauthorized submissions or actions in the background, especially when paired with a hardcoded bearer token.

Missing User Warnings

High
Confidence
100% confidence
Finding
A hardcoded live bearer token is embedded directly in source and transmitted with each network request. This is a severe secret-management failure because anyone with access to the code can reuse the credential to access the associated account or API, and the token also enables unauthorized remote actions from within the skill.

Missing User Warnings

Medium
Confidence
100% confidence
Finding
A bearer token is hardcoded directly in source and used for an authenticated network request without disclosure or consent. This exposes a live credential to anyone with code access and enables unauthorized use of the external API; in a security-sensitive skill handling multiple accounts, undisclosed authenticated outbound requests materially increase the risk profile.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill stores private keys on disk and only protects them with application-layer AES using a fallback hardcoded default key, with no user disclosure. If the host filesystem, process environment, backups, or local user account are compromised, an attacker can recover signing keys and take full control of associated NEAR accounts.

Missing User Warnings

High
Confidence
96% confidence
Finding
The transfer entrypoint performs an irreversible blockchain transaction without any explicit confirmation step, safety interlock, or user warning. In an agent setting, prompt confusion, accidental invocation, or parameter tampering could directly trigger unauthorized fund transfers with no rollback once submitted on-chain.

Missing User Warnings

Medium
Confidence
100% confidence
Finding
The script embeds a live bearer token directly in source code and uses it in an outbound HTTPS POST to a third-party service without any user notice or runtime consent. Hardcoded secrets are easily leaked through source distribution, logs, repositories, or reuse, and the undeclared transmission behavior could enable unauthorized submissions or broader API abuse.

Missing User Warnings

High
Confidence
100% confidence
Finding
A live bearer token is hardcoded directly into the source and transmitted over the network without disclosure or runtime user consent. Exposed credentials can be copied by anyone with code access and used to impersonate the skill or interact with the remote API, leading to account compromise, unauthorized submissions, or broader service abuse.

Missing User Warnings

Medium
Confidence
100% confidence
Finding
The request includes a hardcoded live bearer token in source code and transmits it in an outbound HTTP authorization header. Embedding production credentials directly in a distributed skill is a severe secret-exposure issue: anyone with file access can reuse the token to impersonate the publisher, submit unauthorized data, or abuse the associated account/service.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal