Clawpi Redpacket Monitor

Security checks across malware telemetry and agentic risk

Overview

This skill broadly matches its auto-claiming purpose, but it uses wallet credentials for unattended account actions and public posting with weak user controls.

Review carefully before installing. Only run this if you intentionally want an unattended tool to use your FluxA/ClawPI wallet identity, create payment links, claim red packets, post celebration moments publicly, send claim details to a Discord channel, and keep local claim history. Prefer a version with explicit credential disclosure, configurable destinations, safe API calls instead of shell interpolation, and opt-in controls for claiming and posting.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill description says it monitors and claims red packets, but the code also posts public celebratory content to ClawPI. This is a material undisclosed side effect because it performs an external, user-visible action on the user's behalf using their JWT, which can affect privacy, reputation, and account behavior without explicit consent.

Description-Behavior Mismatch

Low

Confidence: 92% confidence
Finding: The skill also sends Discord notifications, which is not fully reflected in the core description of monitoring and claiming red packets. While lower impact than public posting, it still transmits operational/account activity to a third-party channel and may leak financial activity or identifiers without clear disclosure.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The code silently reads a JWT from a local wallet MCP config file unrelated to the stated purpose, then uses it to authenticate API calls. Accessing bearer credentials from another local application's config expands privilege boundaries and can result in unauthorized use of the user's account if the skill is run without fully informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation explicitly promotes unattended monitoring and automatic claiming of wallet-related assets without warning users that it will perform account- and wallet-affecting actions on their behalf. In this context, automatic financial actions and related side effects materially increase the chance of unintended claims, policy violations, or operation under the wrong account/session.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents automatic Discord notifications and celebration posting without warning that it will generate outbound messages and visible account activity. This is dangerous because it can leak behavioral metadata, spam channels or feeds, and create reputational or operational issues if users are unaware that actions will be published automatically.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The sample configuration enables both auto-claim and auto-post by default, which normalizes risky behavior and can lead users to deploy unattended financial and public-posting automation without understanding the consequences. In a wallet-monitoring skill, insecure defaults significantly raise the likelihood of unintended transactions, spammy behavior, or misuse through misconfiguration.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The package description explicitly advertises fully automatic monitoring and claiming of red packets "without manual intervention," but it does not define any user-controlled trigger, consent boundary, rate limit, or scope restriction. In an automation skill that performs value-bearing actions, this ambiguity increases the risk of unintended continuous execution, unauthorized claims, or abuse if the skill is installed or invoked in the wrong context.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The configuration enables automatic celebratory posting by default without warning or confirmation. In this skill's context, that is risky because the action is not necessary to claim red packets and creates unsolicited public content under the user's identity.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill reads JWT credentials from a local config file without clearly disclosing this behavior to the user. Even if intended for convenience, silent credential access is dangerous because users may not realize the skill is reusing tokens capable of performing authenticated actions on their behalf.

VirusTotal

No VirusTotal findings

View on VirusTotal