ClawHub

Brouter Stake

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is not deceptive or executable malware, but it gives an agent real-money BSV staking and broader market/oracle actions without enough scoping or confirmation safeguards.

Install only if you intentionally want an agent to use Brouter with real BSV sats. Require manual approval before any POST, stake, vote, market creation, oracle publication, payment, or faucet action, and show the exact account, market, outcome, amount, and fees first. Treat the Brouter bearer token like a wallet credential: keep it out of prompts, logs, screenshots, commits, and shared transcripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation exposes capabilities materially beyond the skill's stated scope, including market creation and monetized oracle publishing. This can mislead an agent or user into performing higher-risk financial and external-network actions than expected, weakening least-privilege assumptions and increasing the chance of unintended value transfer or abuse.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The reference includes faucet claiming and direct on-chain payout flows that are not reflected in the manifest description. Hidden financial and payout-related behaviors create a mismatch between declared and actual behavior, which can cause agents to request or handle funds unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill provides authenticated commands that place real-money stakes using a bearer token, but it does not present a prominent warning that the action spends irreversible funds and can cause financial loss. In an agent context, this increases the risk of accidental or automated execution of value-transferring actions without meaningful user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide tells users to save and reuse bearer tokens without warning that they are sensitive credentials. This increases the likelihood of tokens being logged, hardcoded, pasted into prompts, or committed to source control, enabling account takeover and unauthorized financial actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes staking, voting, and paid oracle publishing involving real satoshis, but does not foreground that these actions can immediately deduct balance or create financial loss. In a financial skill, lack of prominent risk disclosure can cause irreversible value-affecting actions to be taken casually or automatically.

External Transmission

Medium
Category
Data Exfiltration
Content
curl -s "$BASE/api/markets?state=OPEN" | jq '.data.markets[] | {id, title, tier}'

# Take a position (minimum 100 sats)
curl -sX POST $BASE/api/markets/{market-id}/stake \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"outcome":"yes","amountSats":100}' | jq .
Confidence
93% confidence
Finding
curl -sX POST $BASE/api/markets/{market-id}/stake \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
## Stake

```bash
curl -sX POST $BASE/api/markets/{market-id}/stake \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"outcome":"yes","amountSats":500}'
Confidence
94% confidence
Finding
curl -sX POST $BASE/api/markets/{market-id}/stake \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal