ClawHub

RanchiMall Messenger

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real blockchain messenger skill, but it handles wallet secrets and fund-moving actions with unsafe logging and weak safeguards.

Install only if you intentionally need a wallet-capable FLO messenger and are comfortable granting it access to real blockchain keys. Avoid using real funds or production keys until the PIN/private-key logging, command-line secret handling, plaintext group-key cache, and broadcast confirmation gaps are fixed; use a dedicated low-value wallet and review each transaction or destructive storage command before approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (37)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares required binaries and environment variables, but does not declare permissions while clearly describing network access and use of sensitive environment material (`FLO_PRIVATE_KEY`). That mismatch can cause the agent platform or reviewer to underestimate the skill's real privileges, especially because the skill can send messages, broadcast blockchain transactions, and contact remote supernodes. In this context, hidden capability is materially risky because the skill is a high-impact financial and messaging interface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill description frames the capability as messenger/blockchain interaction, but the body exposes materially broader functionality: admin configuration writes, raw cloud object operations, cryptographic primitives, secret-sharing, and additional browser/DApp behaviors. This kind of description-behavior mismatch is dangerous because agents and users may invoke the skill under a narrower trust model than the actual command surface warrants, enabling unexpected privileged or destructive actions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The quick reference advertises `cloud_node` actions such as send-app, request-app, reset-object, and update-object that are not defined in the main script reference. Undocumented command surface is risky because it can hide higher-privilege or destructive behavior from reviewers and lead agents to call operations without clear semantics, safeguards, or approval expectations.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The quick reference lists additional `flo_node` actions like `write-data-multiple` and `read-all-txs` that are not defined in the earlier CLI documentation. This creates an ambiguous and potentially expanded execution surface, which is especially concerning in a skill that can move funds and write public blockchain data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The file header explicitly states that all actions are read-only and that no funds are moved, but the implementation includes a `broadcast` action that submits a signed Bitcoin transaction to the network. This mismatch can mislead users, downstream agents, or reviewers into invoking a fund-moving capability under the false assumption that it is non-transactional, increasing the risk of unintended asset transfer.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header documentation understates the available capabilities by advertising only balance/send/history while the script also exposes key generation and multiple additional blockchain write operations. In a security-sensitive wallet/messenger skill, this can mislead reviewers, operators, or higher-level agents about the true attack surface and cause dangerous functions to be invoked without appropriate scrutiny or safeguards.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The syncRequests function accepts invitations where info.model is either 'flo_multisig' or 'btc_multisig', even though this tool is presented as FLO-only. In a wallet/multisig context, cross-protocol invitation acceptance can confuse users, pollute local cache with incompatible pipeline metadata, and potentially lead operators to sign or act on transactions outside the intended asset/domain, which is especially risky in a financial skill.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file materially expands the skill from FLO/BTC messaging/blockchain operations into a broad multi-chain wallet derivation utility covering many unrelated ecosystems. In a wallet- or messenger-adjacent skill, code that can transform a single supplied private key into addresses for numerous chains increases the reachable attack surface and enables cross-chain asset discovery or misuse beyond what a user would reasonably expect from the declared capability set.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The aggregate deriveAllBlockchainAddresses function operationalizes the overbroad behavior by deriving or attempting to derive addresses for many chains from one WIF input in a single call. In this skill context, that makes abuse easier because any component with access to one private key can enumerate a user's presence across multiple ecosystems and potentially prepare downstream transaction or surveillance actions without separate authorization.

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The module performs an unsolicited external request to api.ipify.org to determine whether the user is on Tor, which unnecessarily discloses the user's public IP to a third party and creates a privacy leak outside the core blockchain operation. In a messaging/blockchain skill, covert environment fingerprinting is especially sensitive because users may rely on Tor for anonymity and may not expect the library to contact an unrelated service before any explicit action.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The module defines a global window.myPrivKey getter that returns the logged-in user's private key material. Any script running in the same origin, including injected third-party code, XSS payloads, browser extensions with page access, or compromised dependencies, can read the key and immediately take over blockchain identity, decrypt protected data, and sign transactions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
When private-key input is absent or cancelled, the code silently generates a new blockchain private key and persists secret shares and lookup indices locally. In a messaging/blockchain skill, this can cause users to unknowingly operate under a different identity, lose access to expected funds/messages, or create assets under an unrecoverable account.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The PIN verification path logs credential shares and the reconstructed secret to the console via console.info(shares, secret) and also logs index metadata. Console output is accessible to anyone with local debugging access, remote support tooling, log collectors, or malicious scripts that monkey-patch console methods, resulting in direct key disclosure.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The inbox reconnect logic automatically derives and subscribes to many non-FLO addresses, including a fallback path that listens on nearly all derived chain identities. In a messaging/blockchain skill, this broad silent monitoring materially expands the data collection surface beyond the stated use, increasing the chance of unintended message ingestion, privacy violations, and cross-chain identity correlation without explicit user consent.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
`rawFetch` exposes an arbitrary API-path fetch primitive that is broader than the token CLI's stated purpose and performs no allowlisting or path validation. In an agent skill context, this can be abused as a generic network capability against the configured backend, enabling unintended data access, backend method invocation, or misuse of privileged/internal API endpoints exposed by the token service.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation text is extremely broad, covering messaging, mail, contacts, blockchain actions, tokens, Bitcoin, multisig, and local storage as the 'primary way' to do many tasks. Overbroad triggers increase the chance an agent routes loosely related requests into a powerful skill that has network, secret, file-write, and financial transaction capabilities, expanding blast radius from normal user prompts.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The instruction 'When the user asks to perform any messenger operation' is ambiguous and lacks scope boundaries, yet the skill includes many capabilities beyond simple messaging. Ambiguous invocation criteria can cause accidental use of sensitive commands in contexts where a narrower, safer tool or a non-executing response would have been appropriate.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The `idb_node.js` section includes destructive operations such as clearing stores and deleting entire databases, but does not prominently warn about irreversible local data loss. In a skill that an agent may execute programmatically, missing deletion warnings can lead to accidental destruction of user data through misunderstood or loosely matched prompts.

Missing User Warnings

High
Confidence
99% confidence
Finding
The `securePrivKey` function prints the user-supplied PIN/password directly to stdout while handling a private-key protection workflow. In CLI environments, stdout is often captured by terminal scrollback, shell history wrappers, CI logs, remote session recording, or centralized logging, which can disclose the PIN needed to decrypt the protected key material.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The bulk transaction features accept raw private keys via --privkeys on the command line, which commonly exposes secrets through shell history, process listings, job control logs, and audit tooling. Because these are blockchain signing keys, disclosure can directly lead to irreversible theft of FLO assets and unauthorized transactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists the group's plain AES encryption key (`eKey`) into `groups_cache.json` in cleartext, creating a local secret-at-rest exposure. Anyone or any process with filesystem access can recover the key and decrypt past and future cached group traffic, which is especially dangerous in a messaging/blockchain skill handling sensitive communications.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The script prints the full outbound group message to the console immediately before encryption and transmission. Console output may be captured by terminal history tools, logs, shell recording, CI runners, remote management systems, or shoulder-surfing, leaking message contents despite transport encryption.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The Cardano path accepts a raw WIF private key and feeds it into an external derivation library without any visible disclosure, consent flow, or safety boundary around cross-chain private-key reuse. Even if intended for convenience, handling highly sensitive key material this way in a messaging/blockchain skill can surprise users, normalize unsafe key reuse, and expose secret material to additional code paths or third-party libraries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The broadcast path sends raw transaction hex to a third-party service, which is an externally observable and irreversible action, yet this helper performs no consent, confirmation, or disclosure checks. In this skill context, the file is a primary programmatic interface for blockchain actions, so downstream callers may trigger mainnet broadcasts without surfacing the privacy and finality implications to users.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
These additional broadcast implementations also transmit raw signed transaction data to external APIs without any built-in user notice or confirmation gate. Because the skill is designed to send tokens and manage blockchain operations, the lack of a mandatory confirmation boundary increases the chance of accidental or opaque fund movement.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal