clawmegle staking

Security checks across malware telemetry and agentic risk

Overview

This is a real crypto staking helper, but it can submit live blockchain transactions and store transaction credentials with weak safeguards.

Review before installing. Use only a dedicated low-balance wallet, verify the contract address and calldata independently, protect or rotate the Bankr API key, avoid raw private keys where possible, and do not enable heartbeat auto-claims or reward deposits without explicit transaction approval rules.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documented `depositRewards(uint256)` payable function expands the skill's apparent capability beyond the stated user purpose of staking, checking rewards, claiming, and managing a staking position. In an agent setting, exposing or normalizing an admin/funder-style reward-deposit operation can cause an integrator or downstream model to construct unintended value-transferring transactions, especially because it is payable and could send both ETH and tokens to the contract.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The script performs administrative reward funding of the staking contract, which is outside the manifest’s stated user-facing scope of staking, checking rewards, claiming earnings, and managing a staking position. Expanding an agent skill to include treasury-like deposit functionality increases the chance an agent could be induced to move ETH and tokens in ways users did not intend, especially because the script directly constructs and submits on-chain approval and deposit transactions.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The heartbeat directs the operator to run `./scripts/claim-bankr.sh` as part of routine automation, but does not clearly warn that this likely submits a state-changing on-chain claim transaction rather than a read-only check. In an agent skill context, that omission is risky because it can normalize unattended execution of transactions that spend gas, alter staking state, and potentially trigger repeated or unintended claims if thresholds or script behavior are wrong.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The README instructs users and agents to stake, claim, and unstake real on-chain assets but does not prominently warn that these actions move real funds, incur gas costs, and may be irreversible once submitted. In an autonomous agent context, this omission increases the chance of unintended financial loss or unsafe execution without adequate operator confirmation.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The invocation description is broad enough that an agent may select this skill for generic staking or reward-management prompts without the user specifically requesting CLAWMEGLE staking on Base. In an agentic environment, overbroad routing increases the chance of accidental transaction preparation or execution against the wrong protocol or asset.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation instructs users to export a raw PRIVATE_KEY into the shell environment and read it from a local file, but does not prominently warn that environment variables, shell history, process inspection, logs, or downstream tooling may expose the secret. Because this skill performs blockchain transactions, compromise of that key can result in irreversible asset theft across the wallet.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The file provides ready-to-run approval, staking, claim, and unstake transaction examples that can directly move assets or grant token spending authority, but it does not include explicit warnings about irreversible on-chain actions, approval risk, network verification, or the need to validate addresses and calldata before submission. In an agent skill context, this is more dangerous because an automated system may convert these examples into real transactions with limited user scrutiny, increasing the chance of unintended approvals or asset movement.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script requires a raw PRIVATE_KEY in the environment, derives the wallet address from it, and later uses the same secret to sign a live mainnet transaction. Even if this is intended for legitimate staking operations, handling a private key directly in a shell script increases the risk of accidental exposure through shell history, process inspection, CI logs, or unsafe operator practices.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script submits an irreversible transaction to Base mainnet immediately after detecting pending rewards, with no interactive confirmation, dry-run, or transaction preview. In an agent-driven or automated setting, this makes unintended claims easier to trigger and removes a human checkpoint before spending gas and mutating on-chain state.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script initiates an approval followed by a staking transaction immediately after taking a numeric input, with no explicit interactive confirmation, dry-run preview, or requirement for the user to acknowledge the exact contract, token, and amount. In an agent-skill context, this is risky because a caller or higher-level automation could trigger irreversible on-chain transactions without a clear final consent step, increasing the chance of accidental approvals and unintended fund movement.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script submits two irreversible on-chain transactions (ERC-20 approve and staking) immediately after parsing the amount, with no interactive confirmation, dry-run, or explicit acknowledgment of the target contract and token addresses. In an agent skill context, this is more dangerous because an autonomous or semi-autonomous agent could trigger value-bearing transactions from a loaded private key based on malformed input, misconfiguration, or prompt manipulation, causing unintended token approvals and deposits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal