CoinFello
WarnAudited by ClawScan on May 10, 2026.
Overview
CoinFello is coherent for crypto transactions, but it asks the agent to run an unpinned remote CLI that can sign wallet delegations and store sensitive wallet/session data.
Install only if you trust CoinFello and the npm package source. Prefer a pinned, reviewed CLI version; use hardware-backed keys; avoid unsafe private-key mode; inspect pending_delegation.json before approval; manually confirm token, chain, recipient, and limits; and stop the signer daemon when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised npm package version could affect wallet keys, session handling, or delegation signing without being reflected in the reviewed skill artifacts.
This instructs the agent to fetch and execute the latest npm package at use time. Because that package handles account creation, signing, and delegation approval, the unpinned runtime dependency is a material supply-chain concern.
The CLI is available via `npx @coinfello/agent-cli@latest`. No manual build step is required.
Pin and verify a specific CLI version, review the package source/provenance before use, and avoid running @latest for high-value wallet operations.
Approving the wrong pending delegation could authorize token transfers or other wallet actions beyond what the user intended.
A server-returned pending delegation controls what later gets signed and submitted. Although the docs say it is not signed automatically, the approval command itself is high-impact and the artifacts do not show a mandatory confirmation of token, chain, recipient, and maximum amount.
The server determines whether a delegation is needed and, if so, what scope and chain to use... `approve_delegation_request` ... creates and signs a subdelegation, and submits it to CoinFello.
Require explicit human review before running approve_delegation_request, and verify the chain, token address, max amount, recipient, and justification match the user request.
Anyone who can read the config file could gain access to the stored session or, if unsafe key mode is used, the wallet private key.
The local CoinFello config can contain a SIWE session token, stored delegations, and, in unsafe/private-key mode, a plaintext wallet private key. This is purpose-aligned but highly sensitive.
"private_key": "0xabc123...def", ... "session_token": "...", "delegation": { ... }Use the hardware-backed default when available, avoid --use-unsafe-private-key except for testing, protect the config file, and revoke/rotate credentials if exposure is suspected.
If the daemon is left running, later signing operations may proceed with less direct user interaction than expected.
The optional daemon is disclosed and user-scoped, but it is a persistent background signer that removes repeated biometric/password prompts while it is running.
Running `signer-daemon start` authenticates once via Touch ID / password and caches the authorization. All subsequent signing operations reuse this cached context
Start the signer daemon only when needed, stop it after use, and do not combine it with automatic delegation approval workflows.