ClawHub

Scout

Security checks across malware telemetry and agentic risk

Overview

Scout is purpose-aligned but needs review because it can send USDC and automated DM replies without a strong final approval gate.

Review before installing. Use a dedicated low-balance Base Sepolia wallet, prefer --dry-run, do not set SCOUT_PRIVATE_KEY unless you intend to allow transfers, and do not run dm-bot.js unless you accept automatic replies from your Moltbook account. Treat trust scores as advisory, not proof that a payment is safe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code claims to ABI-encode Ethereum function calls, but derives the 4-byte method selector with SHA-256 instead of Keccak-256, which is required by the Ethereum ABI. As a result, every eth_call built by this helper is invalid for the intended contract methods, causing identity and reputation checks to fail silently or return misleading "not registered" / "no reputation" results. In a trust-scoring skill that answers whether to pay an agent, this can systematically distort security decisions and suppress legitimate trust data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents a payment command that can send USDC, but the documentation does not prominently warn that omitting --dry-run may transmit real funds. Users may copy-paste examples or invoke the command assuming analysis-only behavior, leading to accidental transfers. Because this skill directly answers 'should I pay this agent?' and includes wallet/private-key setup, the context makes accidental fund movement especially dangerous.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The bot automatically sends DM replies for any unread message that matches its parsing logic, with no explicit approval gate, opt-in check, dry-run mode, or per-conversation confirmation. In a messaging context, that means an attacker or unexpected sender can trigger outbound messages on the operator's behalf, causing unauthorized communication, spam, reputation damage, or accidental disclosure of analysis output to unintended recipients.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The module sends queried wallet addresses and agent IDs to a third-party RPC endpoint by default (https://eth.llamarpc.com), which exposes user-linked lookup activity to an external service. While this is common in blockchain integrations, the lack of disclosure, consent, or configurability safeguards can create a privacy leak, especially in a trust-intelligence product where queried addresses may reveal payment intent, vendor evaluation, or business relationships.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code sends user wallet addresses, and optionally explorer API keys, to third-party blockchain explorer services. While this is functionally necessary for this implementation, it creates a privacy and data-sharing risk because wallet lookups can reveal user interests and behavior, and the code contains no visible consent, disclosure, or self-hosted alternative to reduce that exposure.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
This code generates definitive-sounding payment and escrow guidance such as 'Safe for standard transactions' and '100% upfront acceptable' based solely on a heuristic trust score, without prominently warning that the output is probabilistic and may be wrong. In the context of a skill explicitly designed to answer 'should I pay this agent?', this can cause users or downstream agents to make real financial decisions with unwarranted confidence, increasing fraud and loss risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The transfer method directly signs and submits a real ERC-20 transfer whenever called, with no built-in confirmation, dry-run mode, recipient validation, or user acknowledgement at the execution boundary. In a payment-oriented skill, this increases the risk of accidental or socially engineered fund transfers if upstream code, prompts, or agent logic invokes it unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
safePay is more dangerous than a plain transfer because it frames the payment as trust-gated and can automatically send an upfront payment once internal heuristics pass, without any explicit final consent in this file. In the context of an agent marketplace skill whose purpose is deciding whether to pay other agents, this can normalize autonomous payments and make prompt manipulation, bad trust data, or logic mistakes lead directly to loss of funds.

External Transmission

Medium
Category
Data Exfiltration
Content
key: opts.basescanKey || '',
      },
      'base': {
        url: 'https://api.basescan.org/api',
        key: opts.basescanKey || '',
      },
      'ethereum': {
Confidence
78% confidence
Finding
https://api.basescan.org/

External Transmission

Medium
Category
Data Exfiltration
Content
key: opts.basescanKey || '',
      },
      'ethereum': {
        url: 'https://api.etherscan.io/api',
        key: opts.etherscanKey || '',
      }
    };
Confidence
78% confidence
Finding
https://api.etherscan.io/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal