ClawHub

SilkyWay

Security checks across malware telemetry and agentic risk

Overview

SilkyWay appears to be a real Solana payments skill, but it gives the agent real-money signing authority with plaintext local wallet keys and backend-built transactions that are signed without local verification.

Install only if you intend to let this skill manage a Solana payment wallet. Start on devnet, keep mainnet balances limited, protect ~/.config/silkyway/config.json, check that SILK_API_URL is not overridden, avoid sharing secrets in chat, and require human review before any real USDC send, withdrawal, claim, cancellation, or delegated account transfer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The CLI exposes a `chat` command that sends user-provided messages to a support agent, but this capability is not reflected in the described banking/payments functionality. In a financial skill, undocumented outbound communication paths are risky because they can transmit sensitive operational or wallet-related data to an external service and expand the attack surface beyond the declared trust boundary.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This command forwards arbitrary user-supplied text to a remote '/chat' service even though the skill is described as banking and payments functionality. In a financial-agent context, an unrestricted chat channel materially expands the trust boundary and can expose sensitive prompts, payment details, or operational instructions to an external backend without clear scope limitation or local validation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This code generates a Solana keypair and persists the raw private key in application configuration as a base58 string. Storing unencrypted secret keys on disk materially increases the risk of wallet compromise through local file theft, logs, backups, or other accidental exposure, especially in a banking/payments skill where key material directly controls funds.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The support chat sends both a persistent agentId and arbitrary message content to a remote AI service, yet the documentation does not provide a strong warning that conversations and identifiers leave the local machine. In a financial tooling context, users may paste wallet addresses, transaction details, or operational secrets into support chat, creating avoidable privacy and data-leakage risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The withdraw command builds, signs, and submits an asset-moving transaction immediately, with no user confirmation and no verification that the server-built transaction actually matches the intended action. In a banking/payments skill, this is especially dangerous because a compromised backend or confused agent flow could cause irreversible withdrawals without giving the user a chance to inspect destination, amount, or account.

Missing User Warnings

High
Confidence
97% confidence
Finding
The send command signs and submits a transfer to an arbitrary recipient with no confirmation or independent validation of the server-provided transaction contents. In the context of a Solana banking/payment skill, this materially increases risk: an agent mistake, prompt injection via recipient resolution, or malicious/compromised API response could redirect funds and cause immediate, irreversible loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code submits a fully signed transaction blob to a remote API endpoint, meaning the server controls or intermediates transaction broadcast after the user has irrevocably authorized it. In a banking/payments skill, this is more dangerous because a compromised or malicious server can log, delay, replay where possible, correlate sensitive financial activity, or trick users into signing unexpected transactions if transaction construction is not independently verified.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code transmits the user's message to a remote endpoint with no visible disclosure, consent prompt, or warning at the call site. In a payments-related skill, users may reasonably enter wallet addresses, transaction intent, balances, or other financial information, so silent transmission increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill signs a transaction generated by a remote API and then sends the signed transaction back to that remote service for submission, creating a trust boundary problem. A compromised or malicious backend can craft an unexpected transaction for the user to sign, and because this file shows no local decoding, policy validation, or user approval of the transaction contents before signing, the user's funds could be moved or approvals granted unintentionally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code generates a Solana keypair and immediately stores the raw private key in the general configuration object as a base58 string. Plaintext secret storage materially increases the chance of wallet compromise through local file disclosure, logs, backups, malware, or accidental sharing, and in a banking/payments skill that directly controls funds this can lead to irreversible asset theft.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This command signs a blockchain transaction locally and then transmits the signed payload to a remote API for submission, giving the server influence over what reaches the network. Because the unsigned transaction is also built by that same remote service and there is no visible local verification of transaction contents before signing, a compromised or malicious backend could cause the user to sign and broadcast an unintended transfer.

Missing User Warnings

High
Confidence
96% confidence
Finding
The file creates wallets and stores their private keys without any visible warning, confirmation, or disclosure to the user. In a financial skill, silently taking custody of keys can mislead users about who controls funds and can cause severe loss if the local system, config file, or surrounding tooling is compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The configuration is written as plaintext JSON and the declared schema includes wallet private keys, so this code path can persist secret key material to disk without any protection, permission hardening, or encryption. In a banking/payments skill for Solana, compromise of the local config file can directly lead to wallet theft and unauthorized transfers, making the context substantially more dangerous than ordinary application preferences storage.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal