ClawHub

Smithnode

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs Review because it can automatically replace and restart its own validator binary and exposes powerful network, RPC, and AI-key behavior without tight enough user control.

Install only if you are comfortable running a devnet validator that can modify its own executable. Prefer an isolated container or VM, keep RPC bound to localhost or behind authentication, use local Ollama when possible, avoid passing API keys on the command line, and disable or closely monitor automatic upgrades if you operate this outside a disposable test environment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill appears to use file read and network capabilities without declaring them, which breaks the expected permission model and reduces a user's ability to make an informed trust decision. Undeclared capabilities are especially concerning in an agent skill because network and file access can enable data exfiltration, remote control paths, or unexpected interaction with local resources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description presents the skill as a P2P blockchain for AI agents, but the detected behavior includes an auto-update system that downloads and replaces binaries, a JSON-RPC control plane, governance execution, token/validator functions, and broad networked peer messaging. This mismatch is dangerous because it conceals materially more powerful and risky behavior than users would reasonably expect, increasing the chance of unauthorized code execution, remote administration exposure, and unsafe trust in upgrade or governance paths.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The guide explicitly describes an automatic update flow that downloads a new binary, swaps executables, and restarts the validator. Even with signature and checksum verification claims, this is remote code replacement functionality in a validator process, which materially expands the attack surface and can lead to supply-chain compromise or operator loss of control if the signing/distribution path is abused.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented update mechanism gives the software authority to fetch and install executables from peers or HTTP sources, then restart via exec(). For a blockchain validator, that is highly sensitive capability: compromise of the release signing key, update channel, relay path, or verification logic could yield full remote code execution on validator hosts.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Validator mode includes a built-in self-update path that downloads a new executable, replaces the current binary, and re-executes it. Even with signature/checksum checks around announcements and binaries, this materially expands the trust boundary from blockchain participation into remote code deployment, creating a high-risk supply-chain execution path if the operator key, relay, update channel, or verification logic is compromised.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The code implements unattended remote code installation by accepting upgrade announcements, downloading platform-specific binaries from peer relays or HTTP URLs, writing them over the current executable, and executing the replacement. In a blockchain validator skill, this is especially dangerous because compromise of the operator signing key, announcement flow, relay source, or artifact distribution chain can yield full host compromise across participating nodes.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The P2P layer includes upgrade announcement handling and peer relay support for distributing software binaries, which materially expands trust and attack surface beyond ordinary blockchain gossip. Even though upgrade announcements are signed, peer relay announcements are accepted and stored without authentication in this file, creating a path for malicious peers to advertise attacker-controlled download URLs and potentially steer operators or downstream logic toward untrusted binaries.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
PeerRelayAnnouncement accepts arbitrary relay_url values from the network and record_peer_relay stores them after only duplicate suppression and list size capping; there is no signature, trust check, or URL validation. In a P2P blockchain context, introducing ad hoc peer-hosted binary URLs is especially dangerous because it enables supply-chain phishing, redirection to malware, or abuse of any later download consumer that treats these URLs as trustworthy because they came from the network.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The query_ai RPC turns the node into a general proxy to whatever AI provider credentials are present in environment variables, with no authentication or authorization visible in this module. That lets any RPC client consume the operator's paid API access and send arbitrary prompts to external providers, causing credential abuse, unexpected data egress, cost exposure, and possible leakage of sensitive prompts or context.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The server warns that production CORS can be restricted via SMITHNODE_CORS_ORIGINS, but the implementation always allows any origin, method, and header. If the RPC is reachable from a browser-accessible network, any website can induce a victim browser to call these RPC endpoints, expanding the attack surface for cross-origin abuse of state-changing methods.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Docker example publishes both RPC and P2P ports on all host interfaces, which makes the node remotely reachable by default. In the context of a blockchain node this may be intentional for networking, but the documentation omits any warning, authentication guidance, or recommendation to restrict RPC exposure, increasing the risk of unintended public access and abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Kubernetes Service uses type LoadBalancer for the RPC port, which commonly provisions a public internet-facing endpoint. Because the example lacks any warning or access-control guidance, users may unintentionally expose node RPC to the internet, enabling reconnaissance, abuse, or disruptive requests against the node.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to configure third-party AI providers and pass API keys, but it does not clearly warn that validator activity, prompts, governance content, peer challenge data, and potentially operational metadata may be transmitted to external services. In a blockchain validator context where the AI is continuously involved in governance and validation, this omission can mislead operators about privacy, cost, and key-handling risks and may result in unintended disclosure of sensitive data to cloud providers.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide says 'No action required' and normalizes automatic binary replacement and restart without prominently warning operators that local software will be modified and service behavior can change unexpectedly. This reduces informed consent and may cause operators to run software with elevated trust they did not intend to grant.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The cloud AI provider setup instructs users to send validator reasoning/challenge traffic to third-party AI APIs but does not clearly warn that prompts, metadata, and possibly network-derived data may leave the host and be retained by external providers. In a validator context, that can expose sensitive operational data, governance content, or user-entered secrets if operators misconfigure prompts or logs.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest declares optional API keys and a contributor-only GitHub token alongside broad permissions including network, filesystem, and shell, but provides no user-facing guidance on how these secrets are handled, stored, or transmitted. In a skill that connects to remote RPC endpoints and supports release-management/contributor workflows, this increases the risk of inadvertent credential exposure, over-collection, or unsafe propagation to subprocesses and external services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The build script reads operator keys from Cargo.toml metadata and embeds them into a compile-time environment variable, which can then be compiled into the binary or exposed through build logs and downstream code paths. This creates a secret-handling weakness because developers may place sensitive keys in project metadata without realizing the build system is converting them into broadly accessible build-time configuration.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The Ollama endpoint is fully configurable and is used to transmit raw prompts without any validation, scheme restriction, or locality enforcement. Although custom endpoints are a legitimate feature, this allows prompts and optional system prompts to be sent to arbitrary network locations, which can create unintended data exfiltration or privacy exposure if the endpoint is attacker-controlled or misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI accepts `--ai-api-key` directly on the command line, which commonly exposes secrets through shell history, process listings, audit logs, and orchestration tooling. In this skill's context, validators are expected to supply live AI provider credentials, so the design increases the likelihood that real production secrets are handled unsafely rather than being limited to test data.

Missing User Warnings

High
Confidence
99% confidence
Finding
The validator automatically installs and switches to a downloaded executable without an explicit confirmation step at the point of execution. That lack of human approval makes any upstream compromise or logic flaw in the update process immediately actionable, turning a metadata or distribution issue into automatic code execution on validator hosts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This RPC accepts arbitrary prompts and forwards them to external AI providers, but there is no user-facing warning or consent checkpoint at the transmission point. In this blockchain node context, operators or connected clients may incorrectly assume prompts stay local, creating a real risk of unintended disclosure of secrets, private chain data, or operational metadata to third-party providers.

External Transmission

Medium
Category
Data Exfiltration
Content
To check for updates manually:

```bash
curl -s -X POST https://smithnode-rpc.fly.dev \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"smithnode_checkUpdate","params":[],"id":1}' | python3 -m json.tool
```
Confidence
84% confidence
Finding
curl -s -X POST https://smithnode-rpc.fly.dev \ -H "Content-Type: application/json" \ -d

External Script Fetching

High
Category
Supply Chain
Content
```bash
# ⚠️ WARNING: This runs a third-party script on your machine.
# Review the script first: https://ollama.ai/install.sh
curl -fsSL https://ollama.ai/install.sh | sh
```

**Then pull a model and run:**
Confidence
99% confidence
Finding
curl -fsSL https://ollama.ai/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# ⚠️ WARNING: This runs a third-party script on your machine.
# Review the script first: https://ollama.ai/install.sh
curl -fsSL https://ollama.ai/install.sh | sh
```

**Then pull a model and run:**
Confidence
99% confidence
Finding
| sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal