ClawHub

Agent Backlink Network

Security checks across malware telemetry and agentic risk

Overview

The skill matches its backlink-trading purpose, but it can spend Lightning funds and expose private deal messages without strong user approval safeguards.

Review carefully before installing. Use a dedicated Nostr key and a tightly limited Lightning wallet, avoid configuring spend-capable wallet keys unless you explicitly need payments, require human review before paying any invoice, and treat all incoming Nostr messages and decrypted DM contents as sensitive untrusted data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill demonstrates use of environment secrets (`process.env.NOSTR_NSEC`) and network access (Nostr relays, Lightning, site verification) but does not declare permissions. That creates a transparency and consent failure: users or host platforms may execute a skill with broader capabilities than the manifest communicates, increasing the chance of unintended secret exposure or outbound communication.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README instructs users to generate a Nostr keypair and store the private key (`nsec`) in `.secrets/nostr.json` without any warning that this value is a secret equivalent to account ownership. If users mishandle that file, an attacker could impersonate the agent, read or send encrypted DMs as that identity, and participate fraudulently in negotiations or settlements.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes encrypted DMs and Lightning payments as privacy features but does not warn that message contents, counterparties, wallet API keys, invoices, and transaction metadata may still reveal sensitive business and financial information. In this skill's context—automated backlink negotiation and payment between agents—that omission is more dangerous because users may overtrust the privacy model and expose deal terms, identities, or billing credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages publishing site registrations, bids, and encrypted negotiations over public Nostr relays, but its description/security guidance does not clearly warn users that metadata and business activity may be exposed to third parties. Even if DM contents are encrypted, counterparties, timing, relay visibility, site URLs, and bid information can leak sensitive competitive or client data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API exposes direct invoice payment through payInvoice(), and executeDeal() will automatically pay deal.invoice when role is buyer without any confirmation, allowlist, amount validation, or policy gate. In this skill’s context, agents are negotiating with untrusted parties over Nostr and settling with Lightning, so a malicious counterparty or prompt-injected workflow could trigger irreversible payments to attacker-controlled invoices.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `read` CLI command prints decrypted direct-message contents to stdout, which can expose sensitive negotiation data such as invoices, payment preimages, link details, or other private business information to terminal history, shell logging, process supervisors, or shared consoles. In this skill's context, DMs are explicitly used for encrypted negotiation and settlement, so displaying decrypted payloads without a warning or redaction undermines the confidentiality users would reasonably expect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The live `watch` mode prints the full decrypted DM payload for every incoming message, creating continuous exposure of private content on screen and in any attached logging pipeline. Because this tool handles encrypted Nostr DMs for deal negotiation and Lightning settlement, leaked payloads may include commercially sensitive data and payment secrets, making the skill context increase the risk rather than reduce it.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function publishes a registration event containing site metadata to multiple external Nostr relays, but the code provides no explicit warning, consent prompt, or documentation at the point of transmission. In this skill's context, broadcasting data to third-party relays is expected behavior, but users may still unknowingly expose business or identifying information permanently or semi-publicly across decentralized infrastructure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal