ClawHub

Claw Earn

Security checks across malware telemetry and agentic risk

Overview

This real-money trading skill is not clearly malicious, but its installer, self-update flow, secret handling, and trading automation need careful review before use.

Install only if you intentionally want an agent to manage real funds. Avoid the curl-to-bash installer unless independently verified, disable automatic self-updates, use a fresh low-balance hot wallet, do not echo or pass private keys in visible command lines, and require manual approval for transfers, withdrawals, trades, cancellations, and token approvals.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The heartbeat includes self-update behavior that fetches remote markdown and overwrites local skill files, which exceeds a passive monitoring routine and creates a supply-chain/self-modification risk. If the remote host or local update source is compromised, the agent could ingest attacker-controlled instructions on the next heartbeat without user review.

Intent-Code Divergence

Low
Confidence
91% confidence
Finding
The update instructions say they refresh skills, but the examples fetch content from http://localhost:3000 instead of the documented clawearn host. In practice this can cause users or agents to trust and install arbitrary content served by any local process, creating a supply-chain and local service spoofing risk.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The incident-response example passes a private key via `--private-key $OLD_KEY` on the command line, which can expose the secret through shell history, process listings, audit logs, and CI/job telemetry. In a trading skill handling live funds, this directly undermines the document's own guidance to keep keys local and never disclose them.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The monitoring script invokes a balance command with `--private-key $POLYMARKET_PRIVATE_KEY`, again exposing the key in process arguments even though the script itself only prints the balance. Because this is presented as a recurring monitoring pattern, it normalizes unsafe secret handling and increases the chance of credential disclosure on shared systems.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The 'Check regularly' examples repeatedly use `--private-key $KEY` in routine commands, creating repeated exposure opportunities via process inspection, shell history, and operational logging. In the context of an automated prediction-market bot, compromise of a wallet key can lead to unauthorized trading and fund theft.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The document claims private keys should never be logged or printed, yet elsewhere instructs users to display secrets with commands like `cat ~/.config/clawearn/polymarket-key.txt` and `echo $POLYMARKET_PRIVATE_KEY`. In an agent or shared terminal environment, console output may be captured by logs, shell history, screenshots, or orchestration tooling, causing irreversible compromise of wallet funds.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The document correctly warns not to share private keys, but then recommends exporting and storing them in plaintext-accessible locations such as a JSON file and environment variables. That creates a realistic secret-exposure risk through local compromise, shell history, process inspection, backups, logs, or accidental file disclosure, especially in an agentic environment that may read local files automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions encourage passing sensitive secrets such as private keys and API tokens directly on command lines and headers, which can expose them through shell history, process listings, logs, or agent transcripts. In a trading skill context, leaked credentials can enable unauthorized account access, trading, and fund movement.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The update workflow overwrites local files from remote sources without any integrity verification, trust warning, or user confirmation. Because these files define future agent behavior, this creates a straightforward remote instruction injection path if the server, transport, or local source is tampered with.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README instructs users to create wallets, fund them, transfer USDC, and place trades involving real assets, but it does not prominently warn that blockchain transfers and market orders can be irreversible and can result in immediate financial loss. In the context of an agent skill for autonomous trading, omission of these warnings increases the chance that users or bots will execute destructive actions without adequate confirmation or risk controls.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installation and skill download steps instruct users to execute remote code and overwrite local skill files directly from a remote domain without any integrity verification, signature checking, or trust warning. This creates a straightforward supply-chain risk: if the hosting domain or network path is compromised, arbitrary code or malicious skill content could be delivered and persisted locally.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation instructs users to pipe a remotely fetched script directly into bash, which executes unreviewed code immediately with the user's privileges. This is especially dangerous in a wallet/trading skill because compromise can lead to credential theft, wallet takeover, or malicious transaction execution.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill promotes wallet creation, USDC transfers, and autonomous trading without upfront warnings about irreversible blockchain actions, financial loss, and the need for user authorization. In an agent context, omission of these warnings increases the chance of unsafe autonomous execution and user harm.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The markdown contains concrete commands that pass private keys directly on the command line without warning readers that these values may be visible to other local users and persisted in shell history. Documentation examples are operational guidance; unsafe examples are likely to be copied verbatim into production workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These troubleshooting instructions tell users to reveal secrets directly via `cat ~/.config/clawearn/polymarket-key.txt` and `echo $POLYMARKET_PRIVATE_KEY` without prominent warnings. Because this skill manages real-money wallets, exposing a private key even once can let anyone with terminal, log, or monitoring access steal all funds immediately.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The heartbeat instructs the agent to pass a raw private key on the command line for routine balance and account queries, but does not place a clear sensitive-credential warning adjacent to those commands. Command-line secrets are commonly exposed through shell history, process listings, logs, or telemetry, so normalizing this pattern can leak the trading wallet and enable full account compromise and fund theft.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages state-changing financial actions such as canceling orders and later placing trades as part of a routine heartbeat, without a strong, consistent upfront warning that these operations can alter account state and move user funds. In an agent context, this increases the chance of autonomous or habitual execution of high-risk actions, leading to unintended trades, order cancellations, losses, or strategy disruption.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents automatic withdrawals, deposits, refuels, and unlimited token approvals in a way that can normalize commands that immediately move funds or grant spending authority, without a prominent transactional-risk warning before the examples. In an agent setting, this raises the chance of unintended on-chain actions with irreversible financial consequences.

Missing User Warnings

High
Confidence
98% confidence
Finding
The troubleshooting guidance explicitly recommends using a VPN to work around geographic restrictions, which is effectively advice for bypassing platform compliance controls. That can expose users to legal, regulatory, account-enforcement, and funds-access risks, and is especially dangerous in a financial trading skill where jurisdiction restrictions are material.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal