ClawHub

Uniswap Seek Protocol Fees

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate DeFi purpose, but its instructions allow irreversible wallet actions with ambiguous confirmation rules.

Review before installing. Use preview mode first, verify the TokenJar and Firepit addresses, wallet, recipient, gas, and profitability math, and only allow execution after a fresh explicit confirmation of the exact burn and any swaps. Prefer a limited-balance wallet.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest exposes only read-oriented MCP tools while the documentation claims the skill can execute burns and swaps through delegated subagents, creating a capability mismatch that hides destructive actions from surface-level review and policy controls. This makes it easier for an agent or reviewer to underestimate the operational risk and can allow fund-moving behavior to occur through less visible delegated pathways.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The optional post-burn swap expands the skill from fee-claim analysis/execution into discretionary asset conversion, which is a separate fund-management action with additional market, slippage, and routing risk. Because it is not tightly justified by the core purpose, it increases the attack surface and the chance that users authorize more than they intended.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill states that execution requires explicit user confirmation, but later allows `auto-execute: true` to proceed without waiting, undermining the primary safeguard around an irreversible 4,000 UNI burn. In a high-value onchain context, this ambiguity can cause destructive execution based on inferred intent rather than an unambiguous, contemporaneous confirmation.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal