CDP Wallet
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about being a Coinbase wallet tool, but it lets an agent move or spend USDC with no visible spending limits or approval gate.
Review this carefully before installing with real funds. It appears purpose-built and disclosed, not malicious, but it gives the agent live wallet spending ability. Use a dedicated low-balance CDP wallet, start on base-sepolia if possible, restrict trusted payment destinations, and add external approval or budget controls before allowing autonomous payments.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent calls this command incorrectly or is tricked into doing so, it can send wallet funds to an unintended address.
The send-usdc command submits a real USDC transfer from command arguments. The provided artifacts do not show an in-skill confirmation prompt, max spend, recipient allowlist, or budget limit before funds are moved.
const result = await account.transfer({
to,
amount: amountAtoms,
token: "usdc",
network: NETWORK,
});Use a dedicated low-balance wallet, prefer testnet first, add external approval/budget controls, and avoid giving the agent access to more funds than it is allowed to spend.
A paid resource can cause the agent to settle a payment under terms or on a network the operator may not have expected.
The x402 payment flow can pay an arbitrary resource URL inline, and the visible comment says the server's payment requirements determine the network rather than the operator's CDP_NETWORK setting.
pay-x402 <url> [options] Call an x402-protected URL, paying inline... Supports any EVM network the resource server requests; the network is determined by the server's PaymentRequirements, not by CDP_NETWORK.
Restrict pay-x402 use to trusted URLs, require user approval for paid requests, and add explicit limits for allowed networks, assets, and maximum payment amounts.
Anyone or any agent process with this environment access can potentially use the wallet to sign payments.
The required credential is explicitly disclosed and necessary for the wallet purpose, but it is high-impact because it authorizes transactions.
The Wallet Secret is the credential that authorizes signing operations against the keys held in CDP's TEEs. Without it, the agent can read but cannot move funds.
Keep these credentials out of shared environments, rotate them if exposed, and use a separate wallet with limited funds for agent activity.
Restarting or redeploying the agent does not reset its wallet authority if the same credentials remain configured.
The wallet persistence is disclosed and useful for the stated purpose, but it means the agent will keep resolving to the same funded wallet across restarts when the same account name and credentials are used.
same name → same wallet across runs
Use a purpose-specific CDP_ACCOUNT_NAME, monitor wallet activity, and revoke or rotate credentials when the agent should no longer spend.
A future dependency update could alter behavior in a sensitive wallet/payment path.
The skill relies on npm packages with semver ranges. That is normal for a Node wallet integration, but installing later dependency versions can change the code that handles credentials and payments.
"dependencies": {
"@coinbase/cdp-sdk": "^1.40.0",
"@x402/core": "^2.0.0",
"@x402/evm": "^2.0.0",
"@x402/fetch": "^2.0.0"Install from a trusted checkout, consider using a lockfile or pinned dependency versions, and review dependency updates before deploying with real funds.