ClawHub

Security Defense Line 安全防线

Security checks across malware telemetry and agentic risk

Overview

This paid crypto security skill is not clearly malicious, but it presents demo-grade or simulated checks as real wallet and contract protection while also using automatic third-party billing.

Review this before installing. Treat its security output as demo or educational material unless independently verified, do not paste private keys or seed phrases, and do not rely on it for real wallet, contract, transaction, or incident-response decisions. Also make sure you are comfortable with SkillPay billing, including third-party user-ID transmission and possible automatic per-call charging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Tainted flow: 'user_id' from os.environ.get (line 96, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
返回: {"ok": bool, "balance": float, "payment_url": str|None}
    """
    try:
        resp = requests.post(
            f"{BILLING_API_URL}/api/v1/billing/charge",
            headers=HEADERS,
            json={
Confidence
98% confidence
Finding
resp = requests.post( f"{BILLING_API_URL}/api/v1/billing/charge", headers=HEADERS, json={ "user_id": user_id, "skill_id": SK

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill advertises capabilities that imply access to environment variables, network calls, and file-writing behavior, but it does not declare any permissions. That creates a trust and review gap: operators and users cannot accurately assess what the skill may access or modify, and hidden capability expansion is especially risky in a security-themed skill that may process sensitive wallet or incident data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is security analysis and defense, but the skill also appears to perform billing-related actions such as querying balances, charging per use, generating payment links, and identifying users via environment variables. This mismatch is dangerous because users may invoke a security tool without realizing it can contact external payment services or use identity-linked environment data, creating consent, privacy, and abuse risks.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The documentation promotes private-key and mnemonic safety while also advertising active private-key generation validation and strength checking. In this context, encouraging a tool to inspect or handle key material is risky because users may be induced to expose highly sensitive secrets to a skill, contradicting the stated principle that private keys should never touch networked systems.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file is entirely focused on billing enforcement even though the skill is presented as a security-defense tool for audits, wallet safety, phishing detection, and incident response. This mismatch is dangerous because it indicates hidden monetization logic unrelated to the declared purpose, increasing the likelihood of deceptive behavior and unauthorized charges in a high-trust security context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill reads an environment-based user identity and contacts an external billing service even though that behavior is not justified by the declared security-defense scope. In a security tool, covert identity export and billing calls are more dangerous because users may trust the skill with sensitive contexts and not expect unrelated outbound data flows.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring frames the module as payment verification, but the actual control flow immediately attempts to charge the user rather than merely verify payment status. Misrepresenting a charge operation as verification undermines informed consent and can lead to surprise billing, especially when called automatically at skill startup.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
`fetch_contract_code` is presented as retrieving contract source for a supplied address/network, but it ignores both inputs and always returns hardcoded mock Solidity. In a security-audit skill, this is dangerous because users may rely on fabricated results to make real security or financial decisions about a live contract that was never analyzed.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
`audit()` will generate a seemingly legitimate audit report when only an address is provided, but it analyzes unrelated mock code instead of the target contract. Because the skill is explicitly for smart-contract security auditing, this behavior can mislead users into trusting a false assessment and missing actual vulnerabilities or rejecting safe contracts for the wrong reasons.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises smart-contract security auditing, yet the implementation can produce reports for arbitrary contract addresses without analyzing those contracts' actual code. In this context, the mismatch between claimed security function and real behavior materially increases danger because users may treat the output as authoritative for high-value blockchain assets.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This is a real security flaw. The add_owner, remove_owner, and change_threshold operations directly mutate critical multisig security parameters without any multisig proposal, per-owner approval tracking, or execution guard, so any caller reaching these methods can reconfigure wallet control and effectively bypass the wallet's core trust model. In a security-focused skill advertising multisig management, this is especially dangerous because users may rely on these methods as if they enforce governance.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This is a true vulnerability because confirmations are only stored as an integer and not bound to unique signer identities. The same owner can call confirm_transaction repeatedly to inflate num_confirmations, and revoke_confirmation can decrement without proving that the signer previously confirmed, allowing threshold manipulation and unauthorized execution. In a multisig manager, this defeats the fundamental guarantee that independent owners must approve a transaction.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function claims to check an SSL certificate but only verifies that the URL string starts with 'https://'. This can incorrectly classify attacker-controlled sites with invalid, expired, mismatched, or otherwise untrusted certificates as safe, creating a false sense of security in a phishing-detection skill where transport authenticity is security-critical.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code presents the result as a domain age and reputation assessment, but it actually uses only simplistic substring heuristics such as whether the domain contains 'new' or '2024'. In a security tool, this can cause both false negatives for malicious domains and false positives for benign ones, misleading users into trusting phishing sites that were never actually reputation-checked.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The function claims to simulate transaction execution but always returns a fixed successful result with hardcoded output and price impact. In a transaction security skill, this can falsely reassure users that unsafe, reverting, or manipulated transactions are safe, directly undermining the core protective purpose of the tool.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The contract risk check is presented as a security assessment, but it only assigns risk based on whether the address string contains words like 'uniswap' or 'aave'. Real blockchain addresses are hex values, so this logic is effectively non-functional and can misclassify unknown or malicious contracts while giving users a misleading sense of due diligence.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
The address validation routine conflates format checking with trust assessment and uses substring matching to identify 'known contracts,' which will fail for normal hexadecimal addresses and produce misleading reports. In a security-validation context, inaccurate labeling of addresses as safe, medium-risk, or known can cause users to make incorrect trust decisions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module presents itself as a wallet security protection tool, but several core safety outcomes are later produced by random simulation rather than real data sources or deterministic analysis. In a security-defense skill, this is dangerous because users may rely on fabricated results to decide whether to trust addresses, contracts, or transactions, leading to false assurance or unnecessary alarm.

Description-Behavior Mismatch

High
Confidence
100% confidence
Finding
The skill claims to provide wallet security detection and protection, but beyond address format and a tiny local blacklist, the substantive checks are fabricated with random values. This creates a deceptive security control: an attacker or unsafe address could be reported as low risk purely by chance, and users may take risky actions based on false output.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The function names and docstrings state that they check contract verification, scam reports, taint, approvals, and diversification, but the bodies only generate random outcomes. This mismatch is dangerous because developers and users will interpret the outputs as evidence-based security findings when they are not, undermining trust and causing unsafe decisions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents destructive or irreversible operations such as revoking approvals, executing multisig transactions, emergency freezing, and wallet/incident-response actions without prominent transaction-risk warnings or confirmation requirements. In a wallet and blockchain context, these actions can immediately affect assets and permissions, so insufficient warning materially increases the chance of accidental loss or misuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill transmits user identifiers to an external billing service without any visible user-facing disclosure in code. In the context of a security-defense skill, undisclosed outbound identity sharing is particularly problematic because users are likely to expect privacy-preserving behavior from a security product.

Missing User Warnings

High
Confidence
99% confidence
Finding
The verify_payment path automatically charges the user at startup instead of warning, asking consent, or presenting a confirmation step. Silent charging is dangerous because it can trigger unauthorized billing simply by invoking the skill, and the risk is amplified by the skill's security-oriented branding, which may lower user suspicion.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal