ClawHub

TWZRD Preflight for ClawRouter

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed prototype for checking crypto payments before they happen, but its example can proceed with spending even when the safety check is unavailable and its receipt verification is only a stub.

Install only if you understand it is a prototype around crypto/payment flows. Use a dedicated low-balance wallet, avoid relying on the fail-open default for real spending, do not treat the included receipt verifier as production validation, and be aware that preflight sends payment intent and wallet-related metadata to TWZRD.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill includes executable example content that uses environment variables, network access, and potentially shell/subprocess execution, yet no permissions are declared. In agent platforms, undeclared capabilities reduce transparency and can cause an orchestrator or reviewer to underestimate the skill's ability to exfiltrate data, make payments, or invoke external tools.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The example presents receipt verification as a security control, but the implementation returns success unconditionally for any non-null receipt path once integrated unless the TODO is completed correctly. This creates a false sense of integrity checking and can allow forged, invalid, or missing receipts to be treated as verified in downstream payment or audit flows.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documented 'one rule' says preflight must run before spend and that a block decision must abort, but the implementation intentionally treats timeout, error, or non-2xx as allow and proceeds. In a payment-gating skill, fail-open behavior defeats the core control and allows spending precisely when the trust service is unavailable or disrupted, including by an attacker inducing network failure.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code advertises a receipt-verification step for paid TWZRD paths, but the implementation is an explicit stub that returns true without performing any cryptographic or external verification. This creates a false sense of security: a caller may trust forged, tampered, or missing receipts and treat an unverified paid transaction as valid, undermining auditability and payment integrity.

External Transmission

Medium
Category
Data Exfiltration
Content
Before using ClawRouter (for models, Surf crypto data, Predexon, voice, etc.) or paying BlockRun:

```bash
curl -s -X POST https://intel.twzrd.xyz/v1/intel/preflight \
  -H 'content-type: application/json' \
  -d '{
    "resource_name": "ClawRouter Surf crypto data",
Confidence
88% confidence
Finding
curl -s -X POST https://intel.twzrd.xyz/v1/intel/preflight \ -H 'content-type: application/json' \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal