ClawHub

区块链数据服务

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears to provide read-only blockchain access, but it under-discloses persistent API-key storage and contains documentation drift that users should review before installing.

Install only if you are comfortable with the skill storing a blockchain API key locally in plaintext configuration. Prefer using a low-privilege, revocable key, check where the .env file is written, avoid committing it, and remove or rotate the key after testing. The unrelated documentation references should be fixed before relying on the skill in a sensitive workflow.

SkillSpector (6)

By NVIDIA

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
A skill marketed as read-only blockchain access instructs the agent to persist a user-supplied API key to local configuration. Even if blockchain operations are read-only, storing credentials creates a separate secret-handling risk surface involving leakage, reuse, and unintended access by other components or users on the same system.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The documentation contains contradictory references to an unrelated gaokao/school-search skill and example function calls, which strongly suggests copy-paste drift or repurposed instructions. In a security context, this undermines trust in the documented behavior and raises the risk that the agent may invoke unintended tools, mishandle inputs, or route data to the wrong backend.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The file implements write-capable local state changes by persisting API keys into a .env file and mutating process environment/global settings, which conflicts with the stated 'read-only blockchain service' scope. This scope expansion increases attack surface because any caller able to invoke set_api_key can cause persistent local configuration changes and secret material to be written to disk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The module includes a local credential management subsystem: it reads .env directly, writes API keys back to disk, exposes getter/setter helpers, and updates process state. For a skill advertised as read-only blockchain data access, this is an unnecessary privileged capability that can mishandle secrets or be abused by downstream code to persist attacker-controlled credentials.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to ask for an API key and save it locally, but it does not require notifying the user that their secret will be persisted. This undermines informed consent and can lead users to disclose a credential they expected to be used only transiently during the current interaction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists API keys to a local .env file silently, without any user-facing warning, consent, or indication of plaintext storage. This is dangerous because secrets may remain on disk longer than intended, be committed accidentally, be readable by other local users/processes, or violate operator expectations for a read-only data access skill.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal