ClawHub
Back to skill

Security audit

Oasyce

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only marketplace skill whose financial, network, and external-provider actions are disclosed and aligned with its purpose, but users should handle them carefully.

Before installing or using this skill, verify the Oasyce pip packages and active wallet or account, prefer a testnet or low-value account first, and require explicit approval for commands that spend tokens, sell shares, register public assets or endpoints, resolve disputes, onboard a node, or send private data to an AI capability provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill presents buy, sell, dispute, and resolve commands that can trigger financial transactions or governance-like state changes without any caution about cost, irreversibility, authorization, or environmental safety checks. In an agent setting, this increases the chance that an automated system executes value-bearing operations on the wrong asset, account, or network and causes unintended loss or delisting actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation shows capability invocation and endpoint registration without warning that inputs may be sent to third-party services over the network. Agents may pass sensitive prompts, personal data, credentials, or proprietary content to external providers without user awareness, creating confidentiality, compliance, and data retention risks.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The node info, peers, and testnet onboard commands are documented without warning that they expose node identity, disclose peer/network metadata, and may enroll the host into network participation. In an automated environment, this can unintentionally reveal infrastructure details or start network activity the operator did not intend.

VirusTotal

52/52 vendors flagged this skill as clean.

View on VirusTotal