ClawHub

VIGIL Security Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a VIGIL security scanner, but it ships write-capable crypto and reporting scripts that conflict with parts of its read-only presentation.

Install only if you are comfortable with a crypto tool that can send wallet/token addresses to external services and includes scripts capable of submitting reports and initiating Bankr revocation transactions. Treat BANKR_API_KEY as a sensitive read-write credential, inspect commands before running them, and avoid using the revoke or report scripts unless you intentionally want those write actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is described as a read-only security scanner, but the API reference also exposes a community scam report submission endpoint. This creates a capability/scope mismatch that can mislead users and integrators about what the skill may transmit externally, enabling unanticipated outbound data submission and potential abuse of user-provided content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
A community database submission feature is not justified by the stated purpose of a keyless read-only scanner, so users may reasonably assume no third-party write operations occur. That mismatch increases the risk of privacy-impacting or reputation-affecting submissions being triggered without sufficiently clear user understanding or governance.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The integration guide tells users to proceed from security scanning directly into a Bankr trading action, which expands the skill's effective use from read-only analysis into transactional behavior. In a security-scanner context, this coupling is dangerous because users may over-trust scan output and treat it as trade authorization, increasing the chance of unsafe or manipulated decisions.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The statement that no data is shared with third parties is contradicted by the documented use of Bankr APIs and the public VIGIL endpoint, which necessarily receive user requests and related metadata. Misrepresenting data flows is dangerous because it can cause users to expose wallet addresses, approval data, or API credentials under false privacy assumptions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The smoke test exercises wallet-level reporting and monitoring functions that go beyond the stated manifest scope of token/contract scanning. Even though the tested wallet is a public address, this expands the operational capability of the skill into address surveillance and can lead to collection, transmission, or normalization of wallet profiling features that users would not expect from the declared scope.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script clearly goes beyond read-only scanning and performs state-changing blockchain transactions by invoking `bankr agent` to revoke approvals. This creates a capability mismatch between the skill's stated read-only purpose and its actual behavior, which can mislead users or downstream systems into granting trust or execution privileges they would not otherwise allow.

Intent-Code Divergence

Low
Confidence
87% confidence
Finding
The inline comments describe the tool primarily as a scanner, but the code later performs batch revocations through Bankr. This mismatch is dangerous because operators may review or approve the script under the assumption that it is informational only, increasing the risk of unintended onchain actions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script clearly implements a write action that submits scam reports, while the skill metadata emphasizes keyless read-only scanning and only separately mentions revoke actions as gated. This mismatch can mislead users, auditors, or orchestration systems into granting or invoking capabilities they would not expect from a supposedly read-only skill, creating a hidden state-changing operation with reputational and abuse risk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The inline comments normalize a reporting workflow as a standard VIGIL action even though it contradicts the advertised read-only scope. That framing increases the chance that operators, agents, or users invoke a state-changing community-report action without recognizing it as a sensitive write operation, which can lead to unauthorized or unintended submissions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation includes wallet reporting and transaction-related submission endpoints without prominent warnings about privacy and account impact. In a security-scanning context, users may expect passive analysis only, so undocumented or under-warned reporting and submission behaviors raise the risk of unintended disclosure of wallet data or unintended account-affecting actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to export a BANKR_API_KEY into the shell environment without any warning that the credential is sensitive or guidance on limiting exposure. Environment-exported secrets can leak through shell history, process inspection, logs, screenshots, or inherited subprocesses, especially in agent-driven environments.

Missing User Warnings

Low
Confidence
97% confidence
Finding
The script sends the user-supplied wallet address and chain to an external API via `vigil_call vigil_wallet_report` without any user-facing notice or consent at runtime. Although this is a read-only scanner and the data is not secret in the cryptographic sense, wallet addresses are privacy-sensitive because they can reveal portfolio, approvals, and behavioral patterns when linked to a user.

Credential Access

High
Category
Privilege Escalation
Content
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

# Load .env if exists
if [ -f "$PROJECT_DIR/.env" ]; then
  set -a
  source "$PROJECT_DIR/.env"
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

# Load .env if exists
if [ -f "$PROJECT_DIR/.env" ]; then
  set -a
  source "$PROJECT_DIR/.env"
  set +a
Confidence
94% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# Load .env if exists
if [ -f "$PROJECT_DIR/.env" ]; then
  set -a
  source "$PROJECT_DIR/.env"
  set +a
fi
Confidence
97% confidence
Finding
.env"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal