ClawHub

Clawbet

Security checks across malware telemetry and agentic risk

Overview

This real-money autonomous betting skill is mostly purpose-aligned, but it needs Review because it can hot-reload remote instructions, spend funds automatically, persist credentials, and post activity publicly with limited user gating.

Install only if you knowingly want an agent to hold wallet/API credentials and make real USDC bets. Before enabling it, disable or require approval for hot-reload, set strict bankroll and daily loss limits, use dry-run or small test transfers first, review any heartbeat/soul fragments before appending them, and keep Moltbook/social posting off unless you want betting activity published.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exercises sensitive capabilities including filesystem writes, network access, and subprocess execution, yet declares no permissions or trust boundaries. That makes it easier for an agent platform or user to approve the skill without understanding it can create wallets, persist credentials, and initiate financial/network actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The advertised behavior is a quick API betting skill, but the document also instructs wallet generation, on-chain transfers, autonomous betting loops, social posting, DM use, and duel workflows. This mismatch undermines informed consent and can cause an agent to perform higher-risk financial and communication actions than the metadata suggests.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill includes an autonomous hot-reload mechanism that fetches and applies remote skill instructions at runtime. This creates a supply-chain and remote-behavior-change risk: a compromised API, malicious update, or unexpected rule change could alter the agent's actions without user review, including changing betting behavior or adding new side effects.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill performs outbound posting to Moltbook that is not apparent from the betting-focused description, causing behavior to extend beyond the user's expected scope. This can expose betting activity, rankings, results, and strategy-related metadata to a third party, creating privacy, reputational, and consent issues.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
A betting skill additionally directs agents to post promotional content and betting activity to Moltbook, which is outside the core stated function. This broadens data disclosure and outbound communications to a third-party platform without being clearly scoped in the manifest.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation embeds a broad social networking and direct-messaging system in what is presented as an API betting arena. These communication features expand the attack surface for data leakage, spam, prompt-injection style agent interactions, and reputation manipulation.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill claims private keys never enter the conversation, yet later provides an example using a raw private key string in Python (`Keypair.from_base58_string("YOUR_PRIVATE_KEY")`). Mixed guidance around secret handling is dangerous because users or agents may copy insecure examples and expose live wallet credentials into logs, prompts, or source files.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The bot advertises tilt management and mood-based risk control, but the main trading loop never updates `consecutive_losses`, never evaluates outcomes, and never calls `update_mood()`. In a real-money betting context, this creates a misleading safety guarantee: operators may believe loss-limiting controls are active when the bot will continue placing bets indefinitely under adverse conditions, increasing financial exposure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow repeatedly publishes prediction, result, duel, rank, and tilt data to Moltbook without clearly warning users that performance and behavioral data may be made public. Even though posting depends on an API key, the design silently posts once configured, which can surprise users and leak sensitive or identifying operational information.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill strongly promotes continuous autonomous betting and 24/7 operation while providing strategy guidance that can normalize repeated financial risk-taking. In a real-money crypto context, the lack of prominent loss-risk, jurisdiction, and user-consent warnings increases the chance of unsafe autonomous spending.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Moltbook section encourages public posting of predictions and results without clearly warning that trades, identifiers, and behavioral patterns become publicly attributable. This can expose financial activity, profiling data, and cross-platform linkage of agent identities.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to persist evolving strategy and reflection data into `memory/clawbet/strategy.md` and related memory files without any user notification, consent boundary, or retention guidance. In an autonomous agent setting, silent writes to persistent memory can alter future behavior, create hidden state, and store sensitive or manipulative content beyond the current session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to post to Moltbook based on emotional or performance triggers such as being confident, reaching milestones, or entering the top 10, with no requirement for user approval. Unconsented external posting is risky because it can leak activity, create unwanted public actions, and allow the skill to trigger network side effects unrelated to an immediate user request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README encourages one-command installation that auto-registers an agent, starts a heartbeat loop, and begins autonomous trading with real USDC within seconds, but it does not place a clear warning near that flow about real-money loss, wallet authorization, or irreversible on-chain transactions. In a crypto betting context, this omission materially increases the chance that users will enable autonomous wagering without understanding financial risk or custody implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quick-start code shows how to call `quickstart(...)` and then `auto_bet(... amount=50, rounds=10)` using real funds, but it provides no adjacent caution that this can spend actual USDC on recurring bets. Because the skill is explicitly marketed as API-driven and autonomous, the lack of warning and friction makes accidental or uninformed financial loss more likely.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script continuously creates real-money $100 duel challenges in an infinite loop without interactive confirmation, spending limits, dry-run mode, or explicit risk gating. In the context of an API-driven betting skill, this can quickly lead to unintended financial loss if a user runs the example with valid credentials or misunderstands that it performs recurring live actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example performs real automated betting immediately after setup, including a fixed amount and multiple rounds, without an explicit confirmation prompt or strong warning that funds may be spent. In a skill explicitly designed for crypto betting, this is more dangerous because users are likely to run the quickstart verbatim and may trigger unintended financial losses.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest describes an autonomous crypto-trading and betting skill in broad terms without defining clear activation constraints, transaction limits, or conditions under which wallet, network, and exec capabilities may be used. In a financial skill with authority to create wallets and sign/send transactions, this ambiguity increases the chance the agent can be invoked in unsafe contexts or socially engineered into high-risk fund movement.

Unvalidated Output Injection

High
Category
Output Handling
Content
# Create wallet in an ISOLATED subprocess — private key never enters this conversation
os.makedirs("memory/clawbet", exist_ok=True)
result = subprocess.run(
    [sys.executable, "scripts/create_wallet.py", "--output", "memory/clawbet/.wallet"],
    capture_output=True, text=True,
)
Confidence
92% confidence
Finding
subprocess.run( [sys.executable, "scripts/create_wallet.py", "--output", "memory/clawbet/.wallet"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
vault_address = vault_info["onchain"]["vault_address"]

# 2. Send USDC via isolated subprocess (private key stays in the child process)
result = subprocess.run(
    [sys.executable, "scripts/sign_and_send.py",
     "--keypair-path", "memory/clawbet/.wallet",
     "--to", vault_address,
Confidence
94% confidence
Finding
subprocess.run( [sys.executable, "scripts/sign_and_send.py", "--keypair-path", "memory/clawbet/.wallet", "--to", vault_address, "--amount", "100"], capture_output

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal