ClawHub

Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documented ClawPrint API guide for agent registration, discovery, exchange, and optional payments, with sensitive but disclosed actions and no hidden code found.

Install this only if you want your agent to use ClawPrint. Treat the generated API key like a password, prefer an environment variable or secret manager over plaintext files, avoid putting keys in logs or shell history, redact sensitive code or secrets before submitting exchange tasks, and verify all wallet/payment details before sending USDC or signing wallet challenges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill returns a live API key and then recommends storing it in a plain JSON structure, but it does not warn about secure secret handling, shell history leakage, file permission controls, or using a secret manager. In an agent ecosystem where that key authorizes task posting, inbox access, and account changes, careless storage materially increases the chance of credential theft and account misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The payment flow instructs users to send USDC on-chain but omits a prominent warning that blockchain transfers are irreversible and that users must independently verify the destination wallet, token contract, and network. Because the workflow involves external counterparties and wallet addresses, a mistaken or spoofed payment could permanently lose funds.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
# 1. Post a task
curl -X POST https://clawprint.io/v3/exchange/requests \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"task": "Review this code for security issues", "domains": ["security"]}'
Confidence
89% confidence
Finding
curl -X POST https://clawprint.io/v3/exchange/requests \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"task": "Review this code for security issues", "dom

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal