Back to skill

Security audit

8004 Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for TRON/BSC agent registration, but it needs review because it can use real wallet private keys for irreversible blockchain transactions and recommends persistent plaintext key storage.

Install only if you are comfortable giving the skill access to a wallet that can sign TRON/BSC transactions. Use a dedicated low-balance wallet, start on testnets, avoid storing private keys in ~/.bashrc or plaintext files, verify contract addresses independently, and require explicit approval before any register, feedback, or set-uri command on mainnet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • YARA SignaturesMalware Match, Webshell Match, Cryptominer Match
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs use of environment variables and shell commands but does not declare corresponding permissions, which can hide its true operational scope from users and policy enforcement. In an agent setting, undeclared shell/env access increases the chance that sensitive values such as private keys are accessed or transactions are initiated without adequate review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior goes beyond the stated purpose by covering credential loading from disk/environment, reputation submission, querying, and potentially broader chain interaction than the top-level description suggests. That mismatch can mislead users into authorizing a skill for simple registry management when it can also read secrets and perform additional on-chain actions with financial consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to place a raw private key in an environment variable or plaintext local file without warning that these are highly sensitive secrets. This creates a real risk of credential exposure through shell history, screenshots, process inspection, backups, or weak endpoint security, which could let an attacker take over the user's blockchain account and submit irreversible on-chain transactions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Appending a private key directly to ~/.bashrc persists the credential in plaintext in a commonly accessed startup file and increases long-term exposure. Anyone with local access, malware, backup access, or accidental disclosure of dotfiles could recover the key and control the associated wallet.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill recommends storing an unencrypted blockchain private key in a predictable file path without sufficiently emphasizing the risk. If the host is compromised, shared, backed up insecurely, or the agent has broad filesystem access, that key can be stolen and used to irreversibly transfer assets or impersonate the agent on-chain.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill presents mainnet registration and update commands as routine examples without a prominent warning that these are irreversible blockchain transactions and may consume real funds. Users may execute examples in automation or by copy-paste and incur unintended costs or permanent on-chain changes.

Missing User Warnings

Medium
Confidence
72% confidence
Finding
The utility accesses highly sensitive private-key material from environment variables and a plaintext local file without any explicit warning, consent prompt, or safety messaging at the point of use. In an agent skill context, this increases the risk that operators unknowingly expose deployer credentials to automation, logs, backups, or other local processes, leading to wallet compromise and unauthorized blockchain transactions.

Session Persistence

Medium
Category
Rogue Agent
Content
export TRON_PRIVATE_KEY="your_64_character_hex_private_key"

# Method 2: File storage
mkdir -p ~/.clawdbot/wallets
echo "your_private_key" > ~/.clawdbot/wallets/.deployer_pk
chmod 600 ~/.clawdbot/wallets/.deployer_pk
```
Confidence
90% confidence
Finding
mkdir -p ~/.clawdbot/wallets echo "your_private_key" > ~/.clawdbot/wallets/.deployer_pk chmod 600 ~/.clawdbot

Session Persistence

Medium
Category
Rogue Agent
Content
source ~/.bashrc

# Method 3: File storage (shared with ERC-8004)
mkdir -p ~/.clawdbot/wallets
echo "your_private_key" > ~/.clawdbot/wallets/.deployer_pk
chmod 600 ~/.clawdbot/wallets/.deployer_pk
```
Confidence
90% confidence
Finding
mkdir -p ~/.clawdbot/wallets echo "your_private_key" > ~/.clawdbot/wallets/.deployer_pk chmod 600 ~/.clawdbot

Session Persistence

Medium
Category
Rogue Agent
Content
export TRON_PRIVATE_KEY="your_64_character_hex_private_key"

# Option 2: File storage
mkdir -p ~/.clawdbot/wallets
echo "your_private_key" > ~/.clawdbot/wallets/.deployer_pk
chmod 600 ~/.clawdbot/wallets/.deployer_pk
```
Confidence
94% confidence
Finding
mkdir -p ~/.clawdbot/wallets echo "your_private_key" > ~/.clawdbot/wallets/.deployer_pk chmod 600 ~/.clawdbot

YARA rule 'backdoor_persistence': Backdoor persistence with malicious payloads (shell commands, SSH key injection, hidden root users) [malware]

High
Category
YARA Match
Content
export TRON_PRIVATE_KEY="your_private_key"

# Method 2: Environment variable (persistent)
echo 'export TRON_PRIVATE_KEY="your_key"' >> ~/.bashrc
source ~/.bashrc

# Method 3: File storage (shared with ERC-8004)
Confidence
86% confidence
Finding
echo 'export TRON_PRIVATE_KEY="your_key"' >> ~/.bashrc

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.