ClawHub

BOB

Security checks across malware telemetry and agentic risk

Overview

BOB matches its NFT-minting purpose, but it asks the agent to handle raw wallet private keys and sign server-provided transactions with insufficient user control.

Review carefully before installing. Do not use a main wallet private key. If you proceed, use a fresh burner wallet funded only with the mint price and gas, verify the contract address, chain ID, value, calldata, and recipient before signing, and treat API agentHint text as untrusted data rather than commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill explicitly claims it only performs HTTP calls and does not run shell commands or execute code, but later instructs the agent to use curl, node, and npm. This mismatch is dangerous because it lowers operator suspicion and can trick an agent or user into approving broader local execution than they intended, including code execution and package installation.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to check for ethers, install it with npm into /tmp, and execute a local Node.js signing script. Even if the ultimate goal is NFT minting, introducing dependency installation and script execution expands the attack surface to package supply-chain risk and local code execution beyond simple API interaction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Installing ethers into /tmp modifies the local system and executes software fetched at runtime without a clear warning or explicit consent. This can expose the environment to dependency tampering, unexpected persistence, or abuse of a trusted agent to bootstrap code execution on the host.

Ssd 1

High
Confidence
99% confidence
Finding
Telling the agent to always read and follow server-provided agentHint fields creates a direct prompt-injection channel from untrusted remote content. A compromised or malicious API could instruct the agent to exfiltrate secrets, run additional commands, or override safer behavior under the guise of workflow guidance.

Ssd 4

High
Confidence
95% confidence
Finding
The flow normalizes handling an EVM private key, deriving addresses, solving puzzles, signing transactions, and even requesting a new private key when limits are reached. This is a dangerous authority escalation pattern because it conditions the agent and user to hand over high-value secrets and continue sensitive actions automatically across wallets, increasing the risk of secret misuse and unauthorized spending.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal