ClawHub

Tokenbroker

Security checks across malware telemetry and agentic risk

Overview

TokenBroker fits its token-launch purpose, but it needs review because it combines token launch preparation, mainnet-capable API calls, wallet/key guidance, cross-skill delegation, and promotional financial claims with unclear safeguards.

Install only if you intentionally want an agent to help prepare token launches. Use testnet first, avoid primary wallets or raw private keys, restrict GitHub token scope, review all generated token metadata and promotional copy, and require explicit approval before external uploads, cross-skill delegation, public posting, or any mainnet transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes outbound network use to GitHub, nad.fun APIs, and Monad RPC, yet no explicit permissions are declared. Undeclared network capability reduces transparency and makes it harder for a host or reviewer to apply least privilege, especially for a skill that can interact with external services and prepare token launches.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The document presents scanning as read-only and credential-free, but elsewhere directs the workflow to continue into STATS.md for builder reputation checks when an author address is found. That creates a misleading trust boundary: an agent or operator may approve the skill expecting only local file reads, while the documented next step expands into networked data access and broader data processing.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document claims default safety via testnet operation, but later configuration examples set NETWORK=mainnet, creating a contradictory and potentially unsafe default posture. In a token-launching skill, this inconsistency can cause real-value transactions or deployments when users believe they are operating safely on testnet.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill says wallet private key management is not included, but elsewhere instructs users to store and use a PRIVATE_KEY locally for deployment-related flows. This mismatch can mislead users about the trust boundary and operational responsibility, increasing the chance they expose sensitive keys to a skill they thought would not handle them.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The exported promo generator accepts `repoAnalysis` but never uses it, and `generateXThread` instead calls `detectCategory` on `reasoning` after unsafely casting it to `RepoAnalysis`. This creates a semantic integrity flaw: promotional content and hashtags can be derived from attacker-controlled or low-trust reasoning text rather than the actual repository analysis, leading to misleading output and weakening any downstream trust in the generated launch materials.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document explicitly shows forwarding GitHub-derived context, including repository URL, stars, and trigger metadata, to another skill without any privacy minimization or user-consent guidance. In an agent ecosystem, cross-skill transmission expands the trust boundary and can leak sensitive or policy-restricted project metadata to downstream components, especially when repository context may be private, pre-release, or enterprise-internal.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation guidance uses broad phrases like analyzing or scanning a project without tightly constraining scope, path boundaries, or allowed file types. In an agent setting, overly generic triggers can cause the skill to activate in unintended contexts and read more of the local workspace than the user expected, increasing the chance of accidental exposure of sensitive files or metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The generator produces persuasive token marketing text that includes investment-adjacent claims such as rewards, yields, governance benefits, and 'moon-sized gains' while presenting the output as normal project identity content rather than clearly labeled autogenerated promotional copy. In this skill's context, that is more dangerous because the stated purpose includes token launch, so this content can directly be used to market speculative assets and mislead users about functionality, risk, or expected returns.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code automatically transmits generated token images, token metadata, and token-identifying fields such as name, ticker, and description to external nad.fun endpoints without any explicit user-consent or disclosure mechanism at the point of transmission. In an agent skill context, this is risky because repository-derived or user-supplied content may be sent off-platform unexpectedly, creating a privacy and data-governance issue even if the destination service is the intended product backend.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This generator creates polished investment and token-promotion language from repository metadata without any disclosure that the content is synthetic, speculative, or non-financial advice. In the context of a skill explicitly used for token launches, this can materially increase the risk of misleading users, facilitating market manipulation, or generating deceptive promotional content at scale.

Credential Access

High
Category
Privilege Escalation
Content
- No credentials are transmitted to external servers beyond their intended endpoints (GitHub API, nad.fun API, Monad RPC)
- The skill operates entirely within your local environment

### .env File Generation
- The Install Wizard generates a `.env` file on your local machine
- This file is **never committed** to version control (gitignored)
- You can review and edit it at any time
Confidence
91% confidence
Finding
.env

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal