ClawHub
Back to skill

Security audit

OpenSETI

Security checks across malware telemetry and agentic risk

Overview

The skill appears to run a SETI-style scanner, but it depends on an under-disclosed private coordinator that controls work downloads and wallet/reward tracking.

Review before installing. Only run this if you trust the publisher and the claw99.app coordinator, use a wallet address you are comfortable associating with this activity, do not provide private keys or seed phrases, and avoid continuous mode unless you intend ongoing CPU and network usage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Tainted flow: 'COORDINATOR_URL' from os.environ.get (line 25, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def get_work(wallet):
    """Request a work unit from coordinator"""
    try:
        res = requests.post(
            f"{COORDINATOR_URL}/api/work",
            json={'wallet': wallet, 'api_key': API_KEY},
            timeout=30
Confidence
96% confidence
Finding
res = requests.post( f"{COORDINATOR_URL}/api/work", json={'wallet': wallet, 'api_key': API_KEY}, timeout=30 )

Tainted flow: 'url' from os.environ.get (line 306, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
else:
            url = download_url
        
        res = requests.get(url, timeout=60)
        res.raise_for_status()
        return res.content
    except Exception as e:
Confidence
99% confidence
Finding
res = requests.get(url, timeout=60)

Tainted flow: 'COORDINATOR_URL' from os.environ.get (line 25, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def submit_result(wallet, work_id, result):
    """Submit analysis result"""
    try:
        res = requests.post(
            f"{COORDINATOR_URL}/api/submit",
            json={
                'wallet': wallet,
Confidence
97% confidence
Finding
res = requests.post( f"{COORDINATOR_URL}/api/submit", json={ 'wallet': wallet, 'api_key': API_KEY, 'work_id': work_id,

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises commands that perform network access, local wallet/config storage, and likely file writes, yet the manifest declares no permissions. Hidden capabilities reduce user visibility into what the skill can do and make it easier to run outbound communications or persist data without informed consent. In a distributed-compute skill, undeclared network and persistence are especially important because continuous scanning implies sustained external contact and local state changes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a significant trust-boundary issue: the skill claims to analyze Breakthrough Listen data, but the detected behavior includes contacting a specific third-party coordinator, using a built-in API key, storing wallet data locally, and downloading arbitrary URLs supplied by the coordinator. That combination enables covert tasking, tracking, or delivery of untrusted content under the cover of a benign scientific-computing description. The token-reward framing further increases risk because it can socially engineer users into granting compute, network, and wallet-related access they would not otherwise allow.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script embeds a default coordinator API key and transmits it to the remote service, effectively shipping an authentication capability inside a client-side skill. That enables unauthorized reuse, makes key rotation difficult, and hides privileged network behavior behind what is presented as a volunteer compute tool.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
Accepting arbitrary absolute download URLs from the coordinator exceeds the stated purpose of downloading work units from the OpenSETI service and gives the remote service broad control over client egress. In context, a distributed scanning client should have tightly bounded network behavior, so this overreach is more dangerous than in a generic downloader.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The markdown encourages continuous/background scanning and automatic result submission without clearly warning about sustained CPU use, bandwidth consumption, disk activity, and ongoing outbound connections. Users may unknowingly turn their machine into a persistent worker process, which can affect system performance, incur costs, and mask abusive or unexpected network behavior. In a distributed-compute context, omission of these warnings materially increases risk because the core workflow is long-running by design.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill reads an API key from the environment and sends it over the network without any clear user-facing disclosure, which can cause operators to leak credentials unintentionally. Even when HTTPS is used, undisclosed credential transmission is a security and transparency issue.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.