ClawHub
Back to skill

Security audit

Predictfunclaw

Security checks across malware telemetry and agentic risk

Overview

This is a real Predict.fun wallet and trading skill, but it needs Review because it can move funds and approvals with broad key and subprocess access plus confusing vault documentation.

Install only if you intentionally want an agent-accessible live Predict.fun wallet/trading tool. Start with fixture or read-only mode, use low-balance keys, provide only the secrets required for the selected mode, verify the erc-mandated-mcp executable before vault use, and manually review every approval, withdrawal, buy, or vault bootstrap command before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises extensive capabilities—environment access, file read/write, MCP integration, network, and shell execution—yet does not declare permissions. In a skill that handles private keys, wallet actions, withdrawals, and command execution, this mismatch undermines informed consent and can expose users to secret leakage or unintended transaction-related operations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README contains unresolved Git merge-conflict markers with contradictory guidance about whether `mandated-vault` is a standalone user mode or only an internal/bootstrap path. In a wallet/trading skill that handles private keys, funding routes, and withdrawal flows, contradictory operator guidance can cause users or host agents to choose the wrong mode, misconfigure secrets, or invoke higher-risk control-plane actions unintentionally.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The README contains unresolved merge-conflict markers with contradictory security-relevant guidance about whether `mandated-vault` is a user-selectable standalone mode or only an internal bootstrap flow. In a wallet/trading skill that handles private keys, funding routes, and broadcast-capable commands, ambiguous docs can directly mislead users into unsafe setup paths, incorrect key provisioning, or execution of unsupported asset-moving operations.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The plan explicitly instructs use of an external sub-skill ('superpowers:executing-plans'), which expands the agent's effective capability surface beyond the stated Predict.fun trading/market CLI scope. In an agentic environment, delegating to another skill can bypass expected trust boundaries, introduce unreviewed behaviors, or cause the agent to follow hidden instructions from a separate capability module.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The service exposes direct asset-withdrawal and transfer primitives for BNB and USDT to arbitrary destination addresses, including raw token transfers and native-asset sends. In an agent skill whose declared purpose is market funding/trading/positions/hedging, this materially expands capability into general wallet exfiltration, so any prompt abuse, tool misuse, or weak authorization boundary could turn the skill into a fund-drain mechanism.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
Unresolved merge-conflict markers are not just a documentation defect here; they create conflicting security-relevant instructions in a skill that can move funds and bootstrap vaults. This ambiguity increases the chance of unsafe operation, especially by automated agents that may parse README guidance to decide which commands, env vars, or funding paths to use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup section introduces modes requiring private keys and signer-backed workflows without an immediate, prominent warning that these secrets grant asset control and that subsequent commands may trigger real mainnet effects. Because this skill is explicitly for live market access, wallet funding, and trading, burying safety caveats later increases the chance users paste production keys into `.env` files or proceed to dangerous commands without understanding the risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README provides direct examples for `wallet bootstrap-vault --confirm` and `wallet withdraw` adjacent to copy-pasteable commands but without a nearby explicit warning that these can broadcast real blockchain transactions affecting user assets. In this context, users may execute examples verbatim on mainnet, making documentation ambiguity operationally dangerous even though the file is not executable code itself.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The documentation strongly steers users toward mainnet and presents live templates as the primary examples, which can pressure users into performing real-network operations before safe validation in fixture or test environments. In a trading and wallet-management skill, this increases the chance of real fund exposure, accidental trades, or misuse of production credentials.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The plan explicitly adds automatic `.env` backfill after deployment, which means a local configuration file will be modified as a side effect of the workflow. Even though later steps mention explicit confirmation for broadcast and preserving unrelated secrets, the document does not require a separate user acknowledgment for file mutation or clearly scope which file/path will be edited, creating risk of surprising persistence changes and configuration tampering in sensitive developer environments.

Missing User Warnings

Low
Confidence
90% confidence
Finding
This code sends market question text and related market metadata to an external LLM service via `client.complete_json(...)` without any indication here of user consent, disclosure, redaction, or data-minimization controls. Even if the data is only market content, external transmission can create privacy, compliance, or data-handling risk, especially if queries or proprietary trading analysis are later included in prompts.

Missing User Warnings

High
Confidence
95% confidence
Finding
This code places multiple private keys into the subprocess environment before executing an external command. Any executed child process, its descendants, crash dumps, debug tooling, or host-level process inspection may expose those secrets, so compromise of the configured MCP binary or its runtime can directly leak signing material.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.