clawcontract

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about being a smart-contract tool, but it can let an agent use wallet keys to make automatic blockchain deployments and transactions.

Install only if you intentionally want an agent to manage smart-contract workflows. Use a dedicated low-value testnet wallet first, avoid exposing production .env files, verify which private-key variable the CLI actually reads, and require manual review before any full, deploy, mainnet, or state-changing interact command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation states that `interact` will execute signed state-changing transactions and can attach BNB value, but it does not describe any confirmation step, dry-run, or explicit irreversible-action warning. In a skill that manages blockchain deployments and contract interaction, this increases the risk of accidental fund transfers or unintended on-chain state changes because users may treat the command like a safe read-only CLI operation.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal