ClawHub

Musashi

Security checks across malware telemetry and agentic risk

Overview

Musashi is mostly open about crypto analysis and optional on-chain publishing, but it also ships extra wallet-signing admin commands that are not clearly scoped in the skill instructions.

Review before installing, especially if you plan to configure OG_CHAIN_PRIVATE_KEY. Use only a dedicated low-funds wallet, assume publish mode can spend gas and create durable public records, and do not give the skill a wallet key unless you also accept the bundled admin commands exposed by the installed binary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (26)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no explicit permissions while requiring and using environment variables, including a private key for blockchain transactions. That mismatch can defeat user/operator expectations and policy enforcement, making sensitive-capability use less visible during review and increasing the chance of accidental secret exposure or unintended transaction signing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The manifest describes an analysis skill, but the body also performs on-chain publishing, storage uploads, agent/NFT updates, and token discovery. This behavioral gap is dangerous because reviewers may approve it as a read-oriented research tool while it actually has write-side blockchain effects and handles highly sensitive credentials like private keys.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is presented as a token analysis tool, but this command can publish a STRIKE conviction to a blockchain, which is a state-changing operation with external side effects. Mixing analysis with transaction-capable actions increases the chance that an agent or user invokes unintended on-chain writes, especially in automated workflows that trust the skill's stated scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The store command uploads arbitrary evidence JSON to external 0G Storage, which exceeds the expected behavior of a token analysis skill and creates a data exfiltration path. Because there is no visible confirmation or sensitivity check here, users or agents may transmit proprietary or sensitive material off-system without realizing it.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Minting an agent and managing its configuration are administrative blockchain actions unrelated to token analysis, yet they are bundled into the same skill entrypoint. In an agent-skill context, this scope expansion is dangerous because consumers may grant the skill permissions assuming it only performs analysis, while it can actually create on-chain assets and alter system configuration.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Recording outcomes and linking contracts are protocol administration operations, not token intelligence tasks, and they modify on-chain state. Bundling these actions into an analysis-branded skill undermines least privilege and can enable unauthorized or accidental administrative changes if the skill is invoked in broader automation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The set-inft command performs one-time contract linkage, a sensitive setup action that can alter protocol behavior or trust relationships on-chain. This is especially dangerous in a token analysis skill because the declared purpose does not justify exposing initialization/admin functionality, making over-privileged use more likely.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This function goes beyond passive token analysis and can submit authenticated on-chain transactions via PublishStrike, altering external contract state. In the context of a skill described as token intelligence and analysis, hidden write-capable blockchain behavior is dangerous because it can spend funds, create durable records, and trigger real-world side effects without the user expecting transactional behavior.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code reads OG_CHAIN_PRIVATE_KEY from the environment and uses it to authorize blockchain transactions, which is not necessary for a read-only intelligence skill. Any component with access to an operator's signing key materially increases the blast radius of prompt abuse, code-path misuse, or accidental invocation, potentially leading to unauthorized transactions and fund loss.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
SetINFT performs a one-time administrative contract-linking transaction, which is unrelated to normal token analysis and has privileged, irreversible or hard-to-reverse consequences depending on contract design. Embedding admin setup capability inside a broadly triggered skill makes accidental or unauthorized contract reconfiguration more plausible.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
RecordOutcome writes reputation/outcome data on-chain, extending the skill from analysis into external bookkeeping with persistent state changes. In a token-analysis context, this is risky because an analysis invocation could silently mutate reputation systems, incur transaction costs, and corrupt downstream trust signals if misused or triggered unexpectedly.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file adds blockchain state-changing capabilities (minting and updating INFTs) inside a skill marketed as token analysis/intelligence. That expands the trust boundary from read-only analysis to asset-affecting actions, creating a risk that routine skill use could trigger irreversible on-chain writes and fees without the user clearly understanding that behavior.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code loads a private key from environment variables and uses it to sign transactions for on-chain writes unrelated to the advertised analysis scope. In an agent skill context, this is dangerous because possession of the key silently enables financial and state-changing actions, and any unintended invocation can spend gas or mutate contract state.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
MintAgent can create new MUSASHI agent INFTs, which is an asset-creation capability not justified by the stated token-analysis purpose. In this skill context, hidden or unexpected mint functionality is especially risky because it can create on-chain artifacts, incur costs, and potentially be abused through prompt-triggered workflows that users believe are read-only.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The comment frames the function as having an analysis-only fallback, but when a key is present it performs a real on-chain update. That mismatch can mislead maintainers or integrators into treating the function as safer than it is, increasing the chance of accidental state changes in environments where signing keys are configured.

Context-Inappropriate Capability

High
Confidence
88% confidence
Finding
The code invokes an external CLI to upload and download files to remote 0G storage, creating network and filesystem side effects that are not aligned with a token-intelligence skill. This expands the attack surface substantially: a caller can cause data exfiltration, remote fetches, and reliance on an external binary whose behavior is outside this code's control.

Description-Behavior Mismatch

High
Confidence
90% confidence
Finding
The implementation materially differs from the advertised purpose: instead of only analyzing tokens, it persists and retrieves evidence through an external decentralized storage system. In an agent setting, this kind of hidden capability mismatch is dangerous because users may provide sensitive data under the assumption of local analysis, while the code can store or retrieve data externally.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation conditions are broad enough to overlap with ordinary crypto conversation, such as general discussion of token analysis, scanning, or market narratives. In context, unintended invocation is more dangerous because the skill can search external systems, gather market data, and potentially progress toward transaction-related workflows if a user continues the interaction.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest trigger phrases include ambiguous terms like 'check conviction' and 'narrative meta' that could match benign conversation and invoke the skill unintentionally. Given this skill's ability to call binaries, inspect environment-backed configuration, and support eventual on-chain actions, accidental activation expands the attack surface and may cause confusing or risky workflow escalation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code sends user-supplied evidence to external storage without any user-facing warning, consent step, or indication of the destination at execution time. In agent or CLI automation, that creates a quiet exfiltration channel and raises privacy, compliance, and operational risks if sensitive data is passed as evidence.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The one-time SetINFT transaction can execute as soon as the function is called, with no visible user confirmation, warning, or secondary approval step. For an administrative action with durable on-chain effects, lack of confirmation materially increases the risk of accidental execution, social-engineering-triggered execution, or misuse through ambiguous skill flows.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code signs and submits blockchain transactions using an environment-sourced private key without any visible user-facing disclosure, confirmation, or interactive consent in the file. In an agent/skill environment, that omission is dangerous because users may invoke analysis features without realizing the code can spend gas and modify blockchain state on their behalf.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
UpdateAgentIntelligence performs a state-changing transaction whenever a private key is configured, but the function itself provides no warning or confirmation flow before signing and broadcasting. Because the surrounding skill is presented as analysis-oriented, this context makes the silent write path more dangerous: users and integrators are less likely to expect or monitor transactional side effects.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Uploads pass both file content and a private key into a subprocess that communicates with remote services, but this file contains no user-visible warning, consent flow, or disclosure. In the context of a token-analysis skill, undisclosed transmission of analysis artifacts or evidence is particularly risky because it can leak proprietary or sensitive user data unexpectedly.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The download path is caller-controlled and remote data is written to that path without any disclosure or confinement to a safe directory. Although the code blocks paths starting with '--', it does not prevent overwriting arbitrary files or writing outside an expected workspace, so misuse could alter local state in surprising ways.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal