ClawHub

Openclaw Send Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is clearly intended to automate a Ceaser ETH transfer, but it gives the agent direct control over wallet secrets and irreversible on-chain transactions with limited built-in safeguards.

Install only if you intentionally want a high-automation crypto workflow and are comfortable letting the agent handle temporary wallet secrets and broadcast transactions. Use small amounts, verify the Ceaser package version and contract address, confirm recipient and refund addresses before funding, save the mnemonic and backup string offline, and assume session logs may contain sensitive recovery material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation asserts a CLI-only Ceaser workflow, but the actual procedure uses shell commands, direct RPC queries, local file edits, and helper scripts to manipulate notes and transactions. This is a true integrity issue because operators may trust the skill as a narrow wrapper while it actually performs broader filesystem and network actions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill states the backup string must not be stored in memory or repeated, yet earlier instructions require retaining it in working context for later processing. That contradiction means highly sensitive withdrawal secrets are intentionally persisted during execution, increasing the chance of exposure through logs, memory, summaries, or prompt leakage.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The refund command gives the skill a general-purpose ETH transfer capability that goes beyond the described shield-transfer workflow. Because it can drain the hot wallet to any supplied recipient without an execution-time confirmation, a compromised agent flow or prompt-injected step could redirect all residual funds to an attacker-controlled address.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
Automatically loading a transaction from ~/.ceaser-mcp/pending-tx.json introduces implicit filesystem trust and creates a signing path from local state that the user may not realize is being used. Deleting that file after send also destroys auditability and can hide what was signed if the file was tampered with or unexpectedly reused.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The signer accepts arbitrary unsigned transaction JSON and only checks that required fields exist and the chain ID is Base. That means the hot-wallet mnemonic can be used to authorize any contract call or ETH transfer on Base, not specifically a Ceaser-generated shield transaction, which is especially dangerous in an agentic skill that automates signing and broadcasting.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code signs, broadcasts, and then deletes the pending transaction file without an explicit confirmation gate. In an automated agent context, this removes a critical human verification step before an irreversible on-chain action and makes accidental or malicious transaction substitution harder to detect after the fact.

Missing User Warnings

High
Confidence
95% confidence
Finding
The refund path computes the remaining balance and broadcasts a near-wallet-draining transfer to an arbitrary recipient with no confirmation prompt. Because blockchain transfers are irreversible, any mistake, prompt injection, or recipient tampering can permanently redirect all leftover funds from the hot wallet.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions direct the agent to store a BIP-39 mnemonic in working context and later reuse it via an environment variable for signing and refund operations. A mnemonic is full wallet control material; exposing it to agent memory, shell environments, or logs can let anyone with access drain the hot wallet.

Ssd 3

Medium
Confidence
83% confidence
Finding
Collecting a refund address is expected for refunds, but the instruction to infer it from transaction history if not provided introduces reuse of derived financial-identifying data without explicit confirmation. In a privacy-oriented skill, this increases correlation risk and may cause funds to be sent to an address the user did not intend.

Ssd 3

High
Confidence
99% confidence
Finding
The backup string contains the nullifier and secret needed to withdraw shielded funds, and the skill explicitly instructs the agent to keep it for later steps. Retaining spend secrets in agent-controlled state is highly dangerous because compromise of the session, logs, or tool output can enable theft of the shielded ETH.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal