ClawHub

Orderly Deposit Withdraw

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill matches its crypto deposit and withdrawal purpose, but its examples handle real asset movements with under-scoped safety controls.

Review carefully before installing or copying the examples. Use official Orderly sources for contract and chain data, require human confirmation for every destination, chain, token, amount, and environment, avoid unlimited approvals unless explicitly accepted, revoke unused allowances, and keep private keys and API signing material out of frontend code and logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents deposit, withdrawal, and transfer flows for real blockchain assets without clearly warning that mistakes in destination address, chain, token, or contract selection can permanently lose funds. Because these operations are often irreversible, users may treat the examples as routine integration guidance and omit critical confirmation steps before signing or submitting transactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill requires Ed25519 API authentication and shows signing examples, including a Solana example that references a private key, but it does not warn against embedding or exposing private key material in client-side code. This can lead developers to store long-lived signing keys in frontend apps, browser bundles, logs, or environment leaks, enabling full account compromise and unauthorized authenticated actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The deposit example grants `ethers.MaxUint256` approval to the vault without warning about the security tradeoff of unlimited allowances. If the approved contract is compromised, upgraded maliciously, misconfigured, or if the address is wrong, an attacker could spend far more tokens than the intended deposit amount from the user's wallet.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal