Clanker

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it handles raw wallet private keys and can submit irreversible Base transactions that spend ETH without a clear final confirmation step.

Install only if you understand the wallet risk. Use a fresh low-balance wallet, test on Sepolia first, do not store a funded mainnet private key in the config file, verify Clanker contract addresses from official sources, and require a manual review of network, token parameters, gas, and ETH value before any mainnet deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documentation indicates capabilities that involve shell execution, file reads, and access to secret material via configuration, but it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate what the skill can access, especially because the workflow explicitly relies on reading a local config file containing a private key.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill advertises token deployment support in the manifest and usage sections, but later admits deployment is only a placeholder and not fully implemented. This mismatch is dangerous because users may trust the skill to perform high-risk blockchain actions, provide private keys, or send funds based on misleading documentation, leading to failed transactions, fund loss, or unsafe fallback behavior.

Intent-Code Divergence

High

Confidence: 94% confidence
Finding: The command reference presents deploy and testnet-deploy as normal working commands even though later sections explicitly say deployment is placeholder or not implemented. In the context of a crypto-deployment skill that asks users to configure private keys and potentially commit ETH liquidity, contradictory instructions materially increase the chance of unsafe operator decisions and accidental financial loss.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script reads a private key from disk and passes it as a positional argument to a child Python process. On many systems, process arguments can be exposed to local users via tools like `ps`, shell history, audit logs, or process monitoring, creating a realistic secret disclosure path for a credential that controls on-chain funds.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Deployment triggers an external helper that can submit irreversible blockchain transactions without any explicit confirmation, dry-run summary, or final user consent in this script. In a skill that handles token creation and liquidity funding, a mistaken invocation can immediately spend funds or deploy unwanted assets.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script requires the private key as a positional command-line argument, which commonly exposes secrets through shell history, process listings, CI logs, and audit tooling. Because this skill is explicitly designed to handle a blockchain deployer key, the context makes secret exposure especially dangerous: compromise of the key can lead to immediate loss of funds and unauthorized on-chain actions.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script creates a config file in the user's home directory without warning and includes a schema containing a private_key field, normalizing the storage of wallet secrets in plaintext. In the context of a blockchain deployment skill that requires PRIVATE_KEY in config, this increases the chance users will place real keys into an insecure file path, where they may later be exposed via weak permissions, backups, shell history, or other local compromise.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: clanker description: Deploy ERC20 tokens on Base using Clanker SDK. Create tokens with built-in Uniswap V4 liquidity pools. Supports Base mainnet and Sepolia testnet. Requires PRIVATE_KEY in config. metadata: {"clawdbot":{"emoji":"🪙","homepage":"https://clanker.world","requires":{"bins":["curl","jq","python3"]}}} ---
Confidence: 83% confidence
Finding: Create tokens with built-in Uniswap V4 liquidity pools. Supports Base mainnet and Sepolia testnet. Requires PRIVATE_KEY in config. metadata: {"clawdbot":{"emoji":"🪙","homepage":"https://clanker.world"

Session Persistence

Medium

Category: Rogue Agent
Content: ### Step 1: Set Up Testnet Config ```bash # Create config with testnet private key cat > ~/.clawdbot/skills/clanker/config.json << 'EOF' { "testnet": {
Confidence: 90% confidence
Finding: Create config with testnet private key cat > ~/.clawdbot

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal