ClawHub

Openclaw Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned for Ceaser crypto privacy operations, but it handles spend-capable note secrets and on-chain withdrawal flows with some under-scoped documentation and reference files.

Review before installing. Use this only if you intend to let an agent help with Ceaser ETH shield/unshield workflows. Treat backup strings and `~/.ceaser-mcp/notes.json` like wallet secrets, do not paste them into logs or shared chats, and consider running in a separate low-privilege environment. Pin or inspect the `ceaser-mcp` npm package before using it with meaningful funds, and do not provide any admin or unrelated credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest and description claim all operations use the ceaser-mcp CLI, but the body of the skill also directs users to interact with protocol REST and facilitator endpoints directly. This inconsistency can mislead users and downstream agents about the actual trust boundary, data flows, and security properties, increasing the chance that sensitive proof material or transaction data is sent to remote services unexpectedly.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The skill first states it cannot generate proofs and only queries the API, then later states the CLI generates ZK proofs locally for shield and unshield. That contradiction is security-relevant because users may misunderstand whether secrets and proof generation happen locally or are delegated remotely, which affects privacy guarantees, key handling, and trust in the facilitator.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The OpenAPI file documents a broader remote API surface than the skill metadata claims, including facilitator endpoints unrelated to a strict ceaser-mcp CLI-only interface. This can mislead agents or integrators into invoking unintended network capabilities, expanding the effective trust boundary and enabling actions the user did not expect from the skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill description promises manual signing and maximum privacy, but the API spec also exposes gasless settlement behavior that can submit proofs on-chain via a facilitator. That mismatch is security-relevant because an agent may route withdrawals through a third-party settlement flow, changing transaction trust assumptions and potentially degrading privacy despite the skill's stated guarantees.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Including an administrative circuit-breaker reset endpoint in a user-facing skill reference exposes a privileged operational capability that is unrelated to normal privacy-pool use. Even if production requires an admin key, advertising the endpoint increases the chance that agents probe, misuse, or are later extended to handle privileged credentials, which widens the attack surface and risks unauthorized recovery of paused settlement operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest description omits a prominent warning that using the skill can persist highly sensitive note material locally. Because note backups and local note stores are effectively spending secrets for private funds, failing to disclose disk persistence can cause users to invoke the skill in unsafe environments or on shared hosts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The import and note-storage instructions describe how to persist backup strings and notes without a strong, nearby warning that these artifacts are private spending material. In a privacy-wallet context, insufficient warning materially raises the risk of accidental disclosure through shell history, logs, screenshots, backups, or multi-user filesystem access.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal