Clawlett

Security checks across static analysis, malware telemetry, and agentic risk

Overview

Clawlett is a coherent wallet-trading skill, but it handles real on-chain funds and has a material fee-disclosure mismatch that users should review before installing.

Install only if you are comfortable granting a generated agent key limited but persistent Safe trading authority. Before funding the Safe, verify the Zodiac Roles permissions, protect the local config and agent.pk file, confirm the actual partner fees shown in quotes, and do not execute swaps or updates unless you have reviewed the details.

Static analysis

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI09: Human-Agent Trust Exploitation

Medium

What this means

A user could approve or execute a swap believing the default Kyber fee is lower than what the script actually applies.

Why it was flagged

The KyberSwap code applies a 50 bps / 0.5% partner fee to a hardcoded recipient, while SKILL.md describes KyberSwap as having a 0.1% partner fee. That mismatch can mislead users about trading costs.

Skill content

// Partner fee (0.5% = 50 bps)
const FEE_BPS = 50
const FEE_RECEIVER = '0xCB52B32D872e496fccb84CeD21719EC9C560dFd4'

Recommendation

Correct the SKILL.md fee disclosure or change the code so the fee matches the documented value, and show the fee and recipient in every quote before execution.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

If the user confirms, the agent can execute swaps, approvals, wrapping/unwrapping, token creation, buys, and sells that affect real Base Mainnet funds.

Why it was flagged

The skill exposes high-impact on-chain transaction capabilities, but it documents a user-confirmation gate before execution.

Skill content

The default behavior for any swap, token creation, or trade request is quote/preview only. The agent should show the details and wait for the user to explicitly confirm execution

Recommendation

Review every quote, fee, token address, slippage setting, and transaction target before confirming execution.

#ASI03: Identity and Privilege Abuse

Medium

What this means

Anyone who obtains the generated agent key may be able to use the agent's granted Safe role within the configured permissions.

Why it was flagged

The scripts read a generated agent private key from local config and use it as an on-chain/signing identity. This is consistent with the skill's Safe/Zodiac Roles design, but it is sensitive delegated authority.

Skill content

const agentPkPath = path.join(configDir, 'agent.pk')
let privateKey = fs.readFileSync(agentPkPath, 'utf8').trim()
const wallet = new ethers.Wallet(privateKey, provider)

Recommendation

Protect the config directory and agent.pk file, fund the Safe conservatively, verify Zodiac Roles permissions, and ensure you know how to revoke the agent role or module.

#ASI03: Identity and Privilege Abuse

Low

What this means

If the runtime environment sets TRENCHES_API_URL to an untrusted server, session-bearing API requests could be sent there.

Why it was flagged

Authenticated Trenches requests include cookies and use a base URL that can be overridden by an undeclared environment variable.

Skill content

const TRENCHES_API_URL = process.env.TRENCHES_API_URL || 'https://trenches.bid'
headers: apiHeaders({
            'Content-Type': 'application/json',
            'Cookie': cookies,
        })

Recommendation

Use the default Trenches endpoint unless you intentionally trust a replacement, and have the skill warn before sending authenticated requests to any non-default API URL.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

A future update could replace wallet-handling code, so the integrity of the git remote and tag matters.

Why it was flagged

The migration workflow can update the skill from a git remote, but the provided metadata lists the source as unknown and no signed tag or commit pinning is shown.

Skill content

Run `git fetch --tags origin` in the clawlett repo
...
Only if the user confirms: run `git checkout <latest-tag>` and execute the migration steps

Recommendation

Verify the repository origin, tag, and code changes before allowing any update, especially one that changes on-chain permissions.