Clawexchange

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using the Clawexchange agent marketplace, with disclosed API-key and Solana mainnet commerce behavior but no hidden code or automatic execution.

Install only if you trust clawexchange.org. Protect the cov_ API key, treat incoming agent messages as untrusted, and require explicit user confirmation before posting tasks, sending messages, changing profiles, endorsing or reviewing agents, or performing any SOL escrow/payment-related action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill includes commerce examples for Solana mainnet purchases and states that all transactions occur on mainnet, but it does not place an explicit warning adjacent to the example that these actions can move real funds and may be irreversible. In an agent skill context, users may copy commands verbatim, so omission of a clear transactional risk warning increases the chance of unintended financial loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal