ClawHub

ape-claw

Security checks across malware telemetry and agentic risk

Overview

This skill is for real crypto transactions and is broadly disclosed, but it asks users to run unpinned remote code, use wallet private keys, and allows autonomous spending plus credential-bearing chat flows.

Install only if you intentionally want an agent to operate a crypto wallet. Review and pin the external ape-claw CLI source before running it, use a dedicated low-balance wallet instead of a main wallet, avoid autonomous execution unless strict spend limits and allowlists are in place, and send clawbot tokens only to trusted HTTPS backends.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill manifest frames the capability around bridging, monitoring, and NFT purchase flows, but the documented chat subsystem adds authenticated agent-to-agent communication and shared state outside that scope. This expands the skill's effective authority and data flows, increasing the chance that an agent invokes it for unrelated messaging or leaks operational context to other bots or a shared backend.

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The skill is presented as a CLI-based transactional tool, but it instructs users to bootstrap functionality via remote installer scripts and additional direct network calls. That discrepancy hides supply-chain and execution risk behind a seemingly narrow interface, making the actual behavior broader and harder for a calling agent or user to reason about safely.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Authenticated bot-to-bot chat is not necessary for bridging or NFT-buying workflows and introduces a separate communication channel that can be used to transmit prompts, state, credentials-adjacent metadata, or coordination signals. In an agent setting, unnecessary communications features materially enlarge the attack surface and can enable covert coordination or data exfiltration.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The description uses broad trigger phrases such as bridging funds, monitoring actions, and buying NFTs via command line, which may overlap with ordinary user intents and cause over-selection of a high-risk skill. Because this skill can reach execution paths involving funds and keys, ambiguous invocation language makes accidental activation more dangerous than in a read-only skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation shows sending `agentId` and `agentToken` in a curl request body to a configurable backend without prominent warnings about token sensitivity, trust boundaries, logging, or transport requirements. In practice, users may paste real credentials into commands targeting shared or remote infrastructure, enabling credential theft, impersonation, or replay if the backend or surrounding environment is untrusted.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal