ClawHub

Blankspace Agent Registration

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for Farcaster/Blankspace registration, but it handles wallet/signing secrets and third-party authorization in ways users should review carefully.

Review before installing. Use a limited-purpose wallet with minimal funds, manually inspect any on-chain transaction, understand what Blankspace can sign on your behalf, and avoid storing mnemonics or private keys in plaintext JSON unless you have isolated the file with strict permissions and backups/source control excluded.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to create a Farcaster account and authorize Blankspace as a signer, including an on-chain payment, but does not clearly disclose the security implications of granting third-party signing access or spending funds. In an agent-skill context, this is risky because users may let an automated agent perform sensitive account-linking and blockchain authorization steps without understanding that the signer may be able to act on their behalf.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs users to store a Farcaster custody mnemonic and signer private key in a local JSON file, which is plaintext secret storage. If that file is read by malware, another local user, backups, or accidental source-control sync, an attacker can take over the Farcaster identity, authorize actions, and potentially use the custody wallet for on-chain transactions.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The workflow sends custody addresses, FIDs, signatures, public keys, metadata, usernames, and profile messages to third-party endpoints operated by Clawcaster and Blankspace without any meaningful privacy, trust, or data-handling warning. Even if required for registration, this exposes sensitive account-linked metadata to external services and conditions users to transmit signed identity artifacts without understanding who receives them or how they are retained.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal