ClawHub

cifer

Security checks across malware telemetry and agentic risk

Overview

This documentation-only CIFER SDK skill is coherent and purpose-aligned, but users should handle wallet keys, blockchain fees, and remote file processing carefully.

Install only if you are comfortable using cifer-sdk with a blockchain wallet and the configured CIFER blackbox service. Prefer a test or low-balance wallet, keep private keys out of chat, logs, client code, and source control, confirm chain and fee details before sending transactions, and avoid uploading confidential files unless you trust the remote service and have chosen safe local output paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes copy-pasteable examples that instantiate a wallet from `process.env.PRIVATE_KEY` and send on-chain transactions, but it does not clearly warn that these operations can spend real funds, incur irreversible fees, and require careful key handling. In a developer skill, this omission can lead users to run examples against mainnet or with production keys without understanding the financial and security consequences.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The file encryption/decryption examples write output files such as `myfile.pdf.cifer` and `myfile-decrypted.pdf` directly to disk without warning about overwriting, residual sensitive plaintext artifacts, or insecure storage locations. This can expose decrypted data locally, create unexpected sensitive copies, or cause accidental replacement of user files if the examples are adapted carelessly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference documents file encryption/decryption flows that upload file contents to a remote blackbox service and later writes decrypted data back to local storage, but it does not warn users that sensitive files leave the local environment or that example code modifies local files. In a security/encryption skill, omission of explicit data-handling warnings is risky because users may assume operations are purely local and use the examples on confidential material.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples show direct use of process.env.PRIVATE_KEY for server-side wallet creation without any warning about secret management, exposure in logs, shell history, build systems, or accidental client-side bundling. Because this skill concerns cryptographic and blockchain operations, misuse of a private key would directly enable unauthorized signing, wallet compromise, and loss of control over protected secrets or funds.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal