ClawHub

Ardi Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a real blockchain automation tool, but it gives an agent wallet-backed transaction and background-mining authority with weak consent and install controls.

Install only if you intentionally want an agent to operate a dedicated, low-balance Base wallet for Ardi. Avoid enabling auto-mine unless you accept recurring LLM usage, gas spending, and unattended commit/reveal/inscribe attempts. Prefer inspecting or pinning installers before running them, keep wallet funds limited, and review or revoke token/NFT approvals after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (22)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document says `market list/unlist/buy/show` is live and `repair` is live, while later stating the Forge, daily airdrop, and OTC market are Phase 2 and not deployed today. Contradictory operational claims in a wallet-connected web3 skill are dangerous because they can cause an agent to attempt unsupported commands, mislead the operator about asset handling, or initiate transactions under false assumptions.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The bootstrap script fetches an installer from a remote GitHub URL and immediately executes it with `sh`, giving whoever controls that content the ability to run arbitrary code on the host. This exceeds a narrowly scoped skill action because the skill can change behavior after publication, and the user receives no integrity verification, pinning, or review opportunity before execution.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script implements a general-purpose remote installation path using `curl`, `wget`, or Python and then executes the fetched payload, which is a classic arbitrary code execution pattern. In a skill context, this is especially risky because the manifested purpose is about Ardi operations, while this bootstrap silently introduces broad host compromise capability unrelated to a single deterministic task.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The command honors the ARDI_AUTOMINE_INSTALLER environment variable and, if it points to any local file, executes it with bash. This creates an explicit arbitrary-script-execution path that can be abused by a malicious operator, poisoned environment, wrapper process, or social-engineered setup, and it exceeds a narrowly scoped 'mine Ardi' action by delegating trust to unchecked local code.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
If no local installer is found, the command clones a remote GitHub repository and then executes install.sh from that clone, effectively turning a user command into remote code download and execution. This is dangerous because compromise of the repository, dependency confusion around the source, or network/MITM issues in the trust chain could lead to arbitrary code execution on the host.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README recommends executing a remotely hosted installer script by piping it directly into the shell, which removes any opportunity for users or agents to inspect what will run. If the GitHub account, repository, branch, or network path is compromised, this can lead to immediate arbitrary code execution on the host running the agent, which is especially dangerous because the skill is intended to manage blockchain-related operations and local state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README instructs users to clone another repository and run its `install.sh` with bash, again encouraging execution of unreviewed installer code without any warning or integrity verification. This creates a supply-chain risk through a second project dependency, expanding the trust boundary and allowing compromise of the agent host if that repository or installer is tampered with.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger guidance tells agents to use the skill for broad phrases like 'I want one' and references mid-cycle/post-inscription operations, making accidental invocation highly likely. In this context, unintended activation is especially risky because the skill can lead to installs, daemon setup, wallet checks, and real on-chain actions involving gas, bonds, and asset transfers.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The autonomous-mode triggers include vague phrases like 'just go,' 'run forever,' and 'leave it running,' which overlap with ordinary conversation and can cause the agent to install a persistent background miner without a clearly scoped request. Because this persistence is paired with blockchain activity and periodic command execution, accidental setup has meaningful operational and financial consequences.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill describes committing, revealing, inscribing, staking, buying, claiming, and transferring on-chain assets before presenting a concise, upfront safety warning that these are real blockchain transactions with irreversible effects and real fund usage. In a web3 skill that can trigger wallet actions, burying this warning increases the chance of uninformed consent and accidental loss or unwanted spending.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installer downloads a release artifact from GitHub, marks it executable, and installs it locally or via sudo, but it does not verify a checksum, signature, or pinned release identifier before execution-ready placement. This creates a real supply-chain risk: if the GitHub release, repository, CI pipeline, or network trust chain is compromised, a malicious binary could be installed with user or elevated privileges.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script downloads and runs a remote installer with no warning, prompt, or confirmation, so simply invoking the skill can execute unreviewed code on the machine. Because this skill is designed to be auto-invoked by agent frameworks as an initial action, the lack of consent and transparency makes exploitation more dangerous and increases the chance of silent system compromise or persistence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The `list` flow silently sends a one-time `setApprovalForAll(otc, true)` transaction before listing, granting the OTC contract blanket transfer rights over all of the user's NFTs in that collection. In an agent-operated wallet context, this is more dangerous because a simple marketplace action implicitly expands long-lived authority; if the OTC contract is compromised, misconfigured, or replaced via untrusted config/env inputs, the wallet's NFTs could be drained without further consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The command prints prescriptive guidance that directs users to staking flows, external sites, and a one-click buy-and-stake action that can purchase tokens, lock funds into veAWP, and allocate stake, but it does not clearly warn that these actions move assets, may be irreversible for a lock period, and carry smart-contract and market-risk. In an agent skill context, this is more dangerous because the surrounding copy encourages autonomous use by agents and presents the action as the recommended path, which can nudge operators into approving financial operations without informed consent.

Vague Triggers

High
Confidence
96% confidence
Finding
The README explicitly encourages automatic installation and continuous mining in response to broad natural-language phrases such as 'I want one' or 'mine continuously.' In an agentic environment, this can cause high-impact side effects—persistent background execution, wallet usage, API consumption, and on-chain transactions—without clear, explicit, informed user consent for each step.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script explicitly states it will run an LLM runtime CLI using existing credentials from local stores such as ~/.claude/ or ~/.hermes/ without an explicit consent step or strong warning. In an agent-operated, non-interactive installer that also sets up persistence, this increases the risk of silently consuming privileged tokens or enabling automated actions under the user's existing account.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly tells the user that dropping HEARTBEAT.md into the OpenClaw workspace will cause the gateway heartbeat to execute an Ardi mining tick on a recurring schedule, but it does not present a clear upfront warning that this creates ongoing automated agent executions and can incur repeated LLM/API costs. In the context of an agent-mining skill, this omission is more dangerous because users are being guided to enable unattended periodic actions that continue beyond the initial setup step.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to execute shell commands that submit blockchain transactions (`commit`, `reveal`, `inscribe`) and notes gas costs, but it does not include any explicit user-facing consent, spending warning, or transaction confirmation guard. In an autonomous scheduler-driven context, this increases the chance of unintended on-chain actions, fund expenditure, and irreversible state changes without a human in the loop.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script includes the last five journal lines in its JSON output and is explicitly designed for an LLM agent to consume and narrate. Journal entries often contain operational details, file paths, transaction identifiers, error traces, and sometimes secrets or tokens emitted by dependent tools, so exposing them by default can leak sensitive data to downstream agents, users, or logs.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
if [ -w "${INSTALL_DIR}" ] || [ "${INSTALL_DIR}" = "${HOME}/.local/bin" ]; then
  mv "${TMPFILE}" "${INSTALL_DIR}/ardi-agent"
elif command -v sudo >/dev/null 2>&1; then
  echo "Installing to ${INSTALL_DIR} (requires sudo)..."
  sudo mv "${TMPFILE}" "${INSTALL_DIR}/ardi-agent"
else
Confidence
89% confidence
Finding
sudo

External Script Fetching

Low
Category
Supply Chain
Content
#!/bin/sh
# Install ardi-agent binary from GitHub releases.
# Usage:
#   curl -fsSL https://raw.githubusercontent.com/awp-worknet/ardi-skill/main/install.sh | sh
# or
#   sh install.sh
#
Confidence
95% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/awp-worknet/ardi-skill/main/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
#!/bin/sh
# Install ardi-agent binary from GitHub releases.
# Usage:
#   curl -fsSL https://raw.githubusercontent.com/awp-worknet/ardi-skill/main/install.sh | sh
# or
#   sh install.sh
#
Confidence
97% confidence
Finding
| sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal