ClawHub

AI Frens Onboarding

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it can sign real Base mainnet wallet transactions while using placeholder contract addresses and weak safety controls that could waste funds or mislead users.

Review carefully before installing or running. Do not use a primary wallet private key. Only test with a low-value burner wallet, verify the contract addresses in onboard.ts against trusted AIFrens sources, and avoid value-moving commands until the skill adds transaction previews, explicit confirmations, and verified on-chain success checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a simple onboarding flow, but the described behavior includes direct blockchain interactions, balance checks, and treasury fund claims/withdrawals. That mismatch is dangerous because users or calling agents may authorize wallet-connected actions and asset-moving operations without understanding the full scope, increasing the risk of unintended financial loss or abuse.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill marketed as onboarding also exposes a treasury withdrawal operation, which expands its authority beyond the stated purpose and enables movement of on-chain value. In an agent-skill context, hidden or bundled financial actions are dangerous because users or orchestrators may invoke the skill assuming it only performs setup, while it can also initiate withdrawals with the configured wallet.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code loads WALLET_PRIVATE_KEY from the environment and immediately creates a signing account capable of submitting transactions. This gives the skill direct custody over funds and contract permissions, a highly sensitive capability that is more dangerous because the skill also includes payable and value-moving blockchain writes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to pass a wallet private key directly via an environment variable in a shell command, but provides no warning about secure secret handling, hot-wallet risk, shell history exposure, or use of low-privilege/dev wallets. In a blockchain/agent skill context, this is materially dangerous because compromise of the key can directly lead to irreversible asset theft or unauthorized transactions.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The onboarding language is broad and promotional, with no clear trigger boundaries, safety preconditions, or exclusions for when the skill should not be used. In a wallet- and token-deployment context, vague activation criteria can cause an autonomous agent or user to initiate risky financial workflows too readily.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown instructs users to connect a wallet, confirm transactions, launch a token, and link external identity sources without prominent warnings about financial loss, irreversibility, privacy exposure, or downstream data use. In this context, omissions materially increase user risk because blockchain transactions are hard to reverse and linked social/profile data can have lasting privacy implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The claim-treasury command submits a withdrawal transaction without any confirmation prompt, preview, or secondary approval despite moving treasury value. In an agent or automation setting, this materially increases the risk of accidental, coerced, or unintended fund transfers, especially since the amount is taken directly from CLI input and signed immediately.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal