ClawHub

Base 8004

Security checks across malware telemetry and agentic risk

Overview

This is a coherent tutorial for registering an agent on Base, but users must treat the wallet key and onchain metadata as sensitive and public respectively.

Install only if you are comfortable creating or using a Base wallet and signing onchain transactions. Use a fresh low-value wallet, avoid printing the private key where logs or screen recordings may capture it, keep .env out of source control, verify the contract address and chain before signing, and publish only metadata and endpoints that are safe to be permanently public.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs users to print a freshly generated private key to the console, which can expose the secret in terminal scrollback, shell history capture tools, CI logs, remote development sessions, screen recordings, or telemetry. In the context of an onchain wallet, compromise of this key gives an attacker full control of the wallet and the agent identity NFT, making the consequence more severe than a generic secret leak.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The registration instructions encourage publishing agent metadata and service endpoints onchain but do not clearly warn that this information is public, indexable, and difficult or impossible to fully retract once submitted. That can lead users to expose sensitive internal endpoints, identifying information, or operational details that enable targeting, fingerprinting, or reputation harm.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal