ClawHub

Nadfun Skill

Security checks across malware telemetry and agentic risk

Overview

This looks like a real NadFun blockchain trading guide, but it needs review because it gives an agent access to a crypto private key and session credentials without enough safety boundaries.

Install only if you intentionally want an agent to help with NadFun/Monad trading or token-launch workflows. Use a dedicated low-balance wallet, never a main wallet key, keep session cookies and API keys out of logs, inspect transaction details before signing, and require manual confirmation for token, amount, slippage, deadline, gas, recipient, and contract address before any transaction.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide shows direct loading of a private key from an environment variable without any accompanying warning about secure secret storage, exposure in logs, shell history, CI systems, or the risks of using a hot key for automated trading. In a blockchain trading skill, this omission is materially risky because users may copy the pattern into production and mishandle a credential that directly controls funds.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The authentication flow documents nonce signing, session creation, cookie extraction, and reuse of the session cookie, but does not warn that the cookie is a bearer credential that must be protected in transit, storage, logs, and multi-tenant execution environments. In an agent or automation context, developers may inadvertently persist or forward the Set-Cookie value insecurely, enabling session hijacking for API key management.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal