v1.4.0

wallet balance

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 3:08 AM.

Analysis

This skill coherently provides read-only wallet balance lookups, but users should know that wallet addresses can be saved locally and sent to Antalpha/public balance providers.

GuidanceThis appears to be a read-only wallet balance skill, not a transaction-signing or fund-moving tool. Before installing, decide whether you are comfortable sending queried wallet addresses to Antalpha/public providers and saving addresses locally for later reuse; protect any MCP_API_KEY you configure and verify the package source before running the Node gateway.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.

Registry provenance/install metadata is incomplete even though the package includes a Node server and README.md instructs users to run npm install and npm start.

User impactUsers may need to rely on the bundled files and README rather than registry provenance when deciding whether to run the local gateway.

RecommendationVerify the package source and dependency lockfile before running npm install or npm start, and prefer an official repository or signed release when available.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

README.md

`MCP_API_KEY` | Optional `Authorization: Bearer` value

The skill can use a bearer token for the Antalpha MCP integration; this is expected for provider access but should be handled as a credential.

User impactIf configured, the MCP API key could allow calls to the MCP service under the user's or operator's account.

RecommendationUse a least-privilege key if available, keep it out of committed files and logs, and rotate it if it is exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

The gateway calls `https://mcp-skills.ai.antalpha.com/mcp` and invokes **`wallet-balance-query`** ... If local fails, retry a public deployment ... `https://api.antalpha.com/agent-skills/v1/assets?input={{input}}`

The skill explicitly sends queried wallet addresses or names to an external MCP/provider endpoint when performing balance lookups.

User impactExternal services may see the wallet addresses being checked and can potentially associate multiple lookups with the user or session.

RecommendationOnly query addresses you are comfortable sharing with the configured provider; disable MCP/fallback or use a trusted local deployment if address privacy is important.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

server.js

const MEMORY_FILE = process.env.MEMORY_STORE_PATH || path.join(__dirname, "remembered-addresses.json");

The server persists remembered wallet addresses to a local JSON file, and SKILL.md instructs querying saved addresses when the user asks without giving a new address.

User impactSaved wallet addresses can be reused in later balance checks and queried together, which may reveal a linked set of wallets.

RecommendationSave only addresses you intend to reuse, remove saved addresses when no longer needed, and place MEMORY_STORE_PATH somewhere with appropriate local file permissions.