Agnic
AdvisoryAudited by VirusTotal on Apr 7, 2026.
Overview
Type: OpenClaw Skill Name: agnic Version: 1.0.0 The skill provides extensive capabilities for managing cryptocurrency wallets, executing trades, and handling emails, but relies on the high-risk execution of unpinned remote code via 'npx agnic@latest' in SKILL.md. This pattern introduces a significant supply chain vulnerability, as any update to the npm package could allow for the exfiltration of private keys or funds. While the functionality aligns with the stated purpose of an 'agent wallet,' the broad Bash permissions and lack of version pinning for sensitive financial operations warrant a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly or triggered on an ambiguous request, the agent could spend money, trade assets, or send funds to the wrong destination.
The skill exposes a broad CLI tool that can make paid API calls, execute token trades, and transfer funds, but the instructions do not define approval gates, spending limits, recipient validation, or safety checks.
allowed-tools: ["Bash(npx agnic@latest *)"] ... npx agnic@latest x402 pay <url> --method GET --json ... npx agnic@latest trade 10 USDC ETH --json ... npx agnic@latest send <amount> <address> --network base --json
Require explicit user confirmation for every payment, trade, and transfer; show the exact amount, asset, network, recipient, fees, and quote before execution; and set spending limits or allowlists.
Users may not get adequate upfront notice that installing and using the skill can authorize wallet, payment, trading, and email actions through stored account credentials.
The registry credential contract says no primary credential, while the capability signals and skill behavior require wallet, purchase, and OAuth authority.
Primary credential: none ... Capability signals: crypto, requires-wallet, can-make-purchases, requires-oauth-token
Declare the OAuth/wallet credential requirements explicitly, document token scopes, and separate read-only operations from payment, trading, transfer, and email-send privileges.
The code that runs may change after installation, and users cannot verify from these artifacts exactly what code will handle their credentials and funds.
The skill runs the latest remote npm package at invocation time rather than a pinned, reviewed version. This is especially sensitive because the CLI handles wallet and payment authority.
allowed-tools: ["Bash(npx agnic@latest *)"]
Pin the package version or integrity hash, provide a source repository/homepage, and avoid `@latest` for high-impact wallet operations.
A wrong URL, recipient, or service choice could propagate across multiple external systems and result in unwanted signups, payments, or emails.
The documented workflow chains identity/email actions, external service signup, paid API calls, and outbound reporting without documented checkpoints or containment.
Workflow: Sign Up + Pay + Report ... Sign up for a service using agent email ... Reply to verify ... Make paid API call ... Email results to user
Add user-review checkpoints before verification replies, paid calls, and outbound emails, and keep each step reversible or separately confirmed where possible.