ClawHub

ChaosChain - Agent Trust & Reputation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate blockchain reputation skill, but its optional wallet registration path can spend real funds and has misleading mainnet handling.

Use this skill for read-only lookups with no wallet key configured. Before enabling /chaoschain register, use a dedicated low-balance wallet, explicitly choose a testnet unless you intend mainnet, and treat the current mainnet warning behavior as unsafe until fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation indicates use of environment variables and shell-based setup/execution, but the manifest does not declare corresponding permissions. This creates a transparency and consent problem: users may install or invoke a skill believing it is low-risk/read-only, while it can access sensitive env values and run local shell commands during setup or operation. In this context, the risk is elevated because the skill also references wallet addresses/private keys and blockchain interaction tooling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented primarily as a trust-verification and reputation lookup tool, but it also supports signing and broadcasting on-chain registration transactions using a private key. That mismatch can mislead users and operators about the real risk profile, especially because blockchain writes are irreversible and consume funds. The skill context makes this more dangerous, not less, because users may treat a 'read-only trust tool' as inherently safe and provide wallet secrets without appreciating that transaction-capable behavior exists.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata and top-level description present the capability as identity/reputation verification, but the implementation also includes a register command that signs and submits on-chain transactions using a private key from the environment. This is dangerous because users or calling agents may treat the skill as read-only/trust-assessment tooling and inadvertently permit wallet-affecting behavior they did not expect.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The module docstring explicitly claims READ-ONLY access, no protocol execution, and no payments, but the code contains a register flow that builds, signs, and broadcasts a transaction. Mislabeling write-capable code as read-only undermines operator trust and can cause an agent framework to authorize a skill under false assumptions, increasing the risk of unauthorized blockchain actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code checks for config["network"] == "mainnet", but the actual mainnet key used elsewhere is "ethereum_mainnet" (or aliases that are normalized to that value). As a result, the stronger mainnet warning is never shown before a real mainnet registration, weakening user disclosure and making accidental spending on mainnet more likely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal