Bou Wallet
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Bou Wallet is a direct wallet/trading API guide that can spend money, trade, transfer, or withdraw with a bearer key, but the provided artifacts do not show enough scoping or confirmation controls.
Use this skill only if you trust the Bank of Universe backend and understand the financial authority of the agent key. Start with read-only endpoints, verify `BASE_URL`, use a limited key if available, and require explicit confirmation for every payment, trade, transfer, leverage change, or withdrawal.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill with a valid key could place or cancel trades, change leverage, transfer funds, or withdraw funds; mistakes or prompt hijacking could cause real financial loss.
This shows raw API access to high-impact financial actions. In the provided artifacts, these write operations are disclosed but not visibly bounded by confirmation, least-privilege scope, or reversibility controls.
Use this skill when an external agent already has an agent API key and needs to call this backend directly with curl ... the `/hyperliquid` endpoints for ... order placement, cancellation, leverage updates, transfers, and withdrawals.
Require explicit user confirmation before any paid, trading, transfer, leverage, or withdrawal request; prefer read-only checks first; enforce backend spending/trading/withdrawal limits where possible.
Anyone or any agent with the key may be able to act as the wallet agent for sensitive account and financial operations.
The bearer token is the permission boundary for all capability groups. The token use is expected, but the artifacts do not clearly show scoped permissions separating read-only access from trading, transfer, or withdrawal authority.
`AGENT_KEY`: bearer token in `ak_...` format Treat the agent key as secret. Do not print, commit, or store it in repo files.
Use a dedicated least-privilege agent key, keep it out of logs and files, rotate or revoke it after use, and avoid giving the key to autonomous workflows that can perform writes.
Users have less built-in context for verifying that the backend and publisher are the intended financial service.
There is no executable package to inspect, but the artifact provides limited provenance for a skill that directs users to a financial backend.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Verify the Bank of Universe domains and publisher through an independent trusted channel before entering or using an agent API key.