ClawHub

Venus Agent Skills

Security checks across malware telemetry and agentic risk

Overview

This skill mixes Venus risk analysis with real DeFi transaction scripts that ask for private keys, so it needs careful review before use.

Install only if you intentionally want DeFi operations tooling, not just read-only Venus analysis. Use simulation-only mode by default, do not paste real private keys into command lines, prefer a safer wallet signer or a low-balance test wallet, and treat any broadcast or force-risk command as capable of causing irreversible loss.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (34)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
Claiming the skill is read-only while documenting deposit, withdrawal, borrow, repay, and collateral-configuration broadcasts creates a deceptive safety boundary. In a DeFi context, this is especially dangerous because users may expose wallets or approve workflows under the false assumption that no state-changing operation can occur.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation says execution planning should avoid broadcasting, but immediately nearby instructions reference broadcast-capable scripts for live financial actions. Conflicting guidance increases the chance that an orchestrator or user will invoke a state-changing path unintentionally, particularly in an environment handling borrowing, collateral, and liquidation-sensitive positions.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is labeled as part of a Venus Protocol operations skill, but the embedded reference data clearly points to Flux protocol contracts on BNB Chain. This mismatch can cause the agent to analyze, recommend, or route user actions using the wrong protocol addresses, leading to materially incorrect risk assessments and potentially unsafe borrowing or collateral decisions in a DeFi context.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file documents Flux/Fluid operations even though the skill is described as Venus-only analysis guidance. This scope drift is dangerous because it can cause the agent to assist with an unrelated protocol and expose users to actions or recommendations that were never justified by the declared skill boundaries.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documentation includes broadcast lend and withdraw commands, which go beyond analysis and risk guidance into direct transaction execution. In an analysis-oriented skill, this increases the chance the agent facilitates irreversible on-chain actions rather than providing read-only assessment, creating a materially more dangerous operating context.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The examples instruct users to pass a raw private key on the command line for broadcast operations, which is highly sensitive and inappropriate for a skill whose stated purpose is analysis. This can lead to key exposure through shell history, process listings, logs, or agent mishandling, enabling theft of assets and unauthorized transactions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The quick-commands file exposes real transaction-executing commands that accept a private key and support broadcast for deposit, withdraw, borrow, repay, and collateral changes, even though the skill is described as analysis-first and position/risk guidance oriented. This materially expands the operational scope from read-only analysis into fund-moving actions, increasing the chance that a user or downstream agent treats the skill as safe for execution and signs or submits unintended onchain transactions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file documents Flux/Fluid operational scripts on BNB Chain, while the skill manifest says the skill is for Venus Protocol analysis only. This scope mismatch is dangerous because it can cause an agent or operator to invoke unsupported protocol actions and trust guidance outside the declared safety boundary, including transaction workflows on another protocol.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The README includes broadcastable lend and withdraw commands with private-key and confirmation arguments, which exceeds an analysis-only skill description. In skill context, this is especially risky because users may believe they are getting passive risk guidance, while the artifact enables direct fund-moving operations that could trigger unintended onchain transactions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation asserts that wallet/signer matching is 'enforced in scripts,' but this file provides only guidance and command examples, not evidence of the control. Unsupported security claims are dangerous because operators may rely on a protection that is absent, incomplete, or bypassable when executing broadcast commands with private keys.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script clearly queries Flux/Fluid-style fToken market data via `getFTokensEntireData`, while the skill manifest says the skill analyzes Venus Protocol positions and markets on BNB Chain. This mismatch can cause the agent to return materially wrong risk, APY, collateral, or liquidation guidance under the Venus label, which is dangerous in a financial decision-support context because users may act on incorrect protocol data.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The inline comments and output note explicitly describe Fluid/Flux fToken reward-rate semantics (`1e12 precision`, `fToken code`) despite the skill being presented as Venus analysis. That indicates protocol-semantic confusion, increasing the likelihood that rates and APRs are interpreted with the wrong units or assumptions, leading to misleading user guidance about yields and safety.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script performs live on-chain lending actions against Flux by calling approve and deposit, even though the skill is presented as a Venus Protocol analysis tool focused on risk guidance. This mismatch is dangerous because users invoking an analysis-oriented skill could be induced to execute real asset-moving transactions on an unrelated protocol, causing unintended fund deployment and trust-boundary violation.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script requires a raw private key for broadcast mode and signs transactions locally, which is unjustified for a skill whose stated purpose is position analysis and risk evaluation. Collecting private keys in this context materially increases the chance of credential exposure, misuse, or user coercion into authorizing transactions they did not expect from an analysis skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Broadcast mode enables two state-changing operations: ERC-20 approval and Flux deposit. In the context of a Venus risk-analysis skill, these actions are unrelated to the advertised purpose and can directly alter user asset positions, making the skill materially more dangerous because the surrounding context lowers user suspicion and raises the likelihood of unintended execution.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script clearly queries a Flux lending resolver and reads a Flux-specific address config, while the skill manifest claims Venus Protocol analysis. This mismatch can cause users or downstream agents to make lending, collateral, and liquidation decisions using data from the wrong protocol, which is especially dangerous in a risk-advisory DeFi context where protocol semantics, markets, and risk parameters differ materially.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script can perform a real on-chain withdrawal via `fts.withdraw(...)`, which is a state-changing asset movement operation. That capability is inconsistent with the skill's stated purpose of risk analysis and what-if guidance, so a user invoking the skill could be induced into executing fund-moving actions they did not expect from an analysis-only tool.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file accepts a private key from CLI arguments and constructs a signer to broadcast a withdrawal transaction. Embedding secret-handling and live transaction execution in a skill advertised for analysis materially increases the chance of credential exposure, unintended signing, and unauthorized asset movement, especially because users would not reasonably expect key usage from this skill context.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script is for Flux protocol withdrawals, while the skill metadata says it is for Venus Protocol analysis on BNB Chain. This scope mismatch is dangerous because it broadens the effective authority and behavior of the skill beyond what users and reviewers are told, undermining trust boundaries and making hidden operational capabilities more likely to go unnoticed.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script can submit a live Venus borrow transaction in `broadcast` mode, which exceeds the skill's stated purpose of analysis and risk guidance. In an agent context, this creates a dangerous capability mismatch: a user or upstream tool may expect read-only advice but instead trigger debt creation on-chain, causing financial loss, liquidation risk, or unintended account changes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script accepts a raw private key via CLI and uses it to create a signer for blockchain transactions, which is highly sensitive secret handling not justified by an analysis-only skill. Passing private keys through command-line arguments can expose them via shell history, process listings, logs, or agent telemetry, and enables immediate unauthorized asset-affecting actions if the skill is misused or invoked unexpectedly.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script can send live `enterMarkets` and `exitMarket` transactions that change a wallet's Venus collateral configuration, which exceeds the stated analysis/risk-guidance purpose of the skill. In this context, hidden or under-justified transaction capability is dangerous because enabling or disabling collateral can materially alter liquidation exposure and account safety.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code accepts `--private-key` and uses it to construct a signer and submit on-chain transactions, giving the skill direct custody over sensitive credentials and execution authority. For a skill described as analysis-only, this is a serious overreach: compromise, logging, misuse, or accidental invocation could lead to unauthorized account changes and broader wallet risk.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The header comment says 'Default mode: simulate', which may reassure reviewers or users, but the script still contains a broadcast path that performs real state-changing transactions. This mismatch increases the chance of misunderstanding the skill's true capabilities and can reduce scrutiny around dangerous behavior.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script can approve tokens and broadcast live Venus deposit transactions, which exceeds the stated skill purpose of read-only Venus risk/position analysis. This mismatch is dangerous because an agent or user expecting analytics-only behavior could be induced to perform real on-chain state-changing actions that move funds or grant spending permissions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal