ClawHub

Sign-in with Agent

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate SIWA authentication skill, but it can give agents wallet-signing, transaction, and payment authority without consistently requiring clear approval or spend limits.

Install only if you intentionally want to give the agent wallet-signing authority. Use a dedicated low-value or testnet wallet, prefer the keyring proxy over raw private keys, review the external SDK/container before deployment, and require explicit approval plus amount, network, recipient, and resource limits for every onchain transaction or x402 payment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (13)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documented `agent:flow` command chains wallet creation, registration, sign-in, and an authenticated API call, which can trigger onchain transactions and outbound network access in one step. Even though earlier sections mention funding requirements, this specific shortcut reduces user visibility and consent around costly or state-changing actions, increasing the chance an agent executes them without an explicit confirmation checkpoint.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example performs an on-chain registration transaction via Circle's contract execution API without any explicit warning that this is a state-changing blockchain action that may incur fees and create irreversible on-chain state. In a skill meant to be copied by agents or developers, omission of this warning increases the risk of unintended registrations and unnecessary fund expenditure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The authentication flow documents sending wallet address, signed SIWA messages, nonce tokens, and authenticated requests to remote endpoints, but does not include a privacy or data-sharing warning. Even though the URLs are placeholders, the skill encourages integration with arbitrary servers, which can expose identity-linked metadata and replay-sensitive authentication material if implementers do not understand what is being transmitted.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples transmit authentication material and identity-linked data to remote endpoints, including address, agentId, signed SIWA message, signature, nonceToken, and authenticated requests, without an explicit warning about privacy, logging, retention, or trust boundaries. Even though the URLs are labeled as placeholders, users are being guided to send sensitive auth artifacts to a server, which can enable tracking, replay attempts against weak implementations, or unnecessary disclosure if operators copy the pattern without proper safeguards.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The x402 section introduces pay-per-request and pay-once flows but does not prominently warn users and integrators that enabling these endpoints can cause real financial charges. In an agent skill context, unclear disclosure increases the risk of accidental paid requests, unexpected billing, or deployment of monetized routes without adequate consent and safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The x402 payment example shows automatically retrying a request with a signed payment payload after receiving HTTP 402, but it never warns that this step may authorize an onchain payment and spend real funds. In an agent context, this is dangerous because developers may copy the pattern verbatim and allow unattended agents to pay arbitrary amounts or to unintended recipients without explicit policy checks or user/operator confirmation.

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 1: Request Nonce

```typescript
const nonceRes = await fetch("https://api.example.com/siwa/nonce", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
Confidence
83% confidence
Finding
fetch("https://api.example.com/siwa/nonce", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
}, signer);

// Send to server for verification
const verifyRes = await fetch("https://api.example.com/siwa/verify", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ message, signature, nonceToken }),
Confidence
88% confidence
Finding
fetch("https://api.example.com/siwa/verify", { method: "POST"

External Transmission

Medium
Category
Data Exfiltration
Content
### Step 1: Request Nonce

```typescript
const nonceRes = await fetch("https://api.example.com/siwa/nonce", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
Confidence
83% confidence
Finding
https://api.example.com/

External Transmission

Medium
Category
Data Exfiltration
Content
}, signer);

// Send to server for verification
const verifyRes = await fetch("https://api.example.com/siwa/verify", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ message, signature, nonceToken }),
Confidence
88% confidence
Finding
https://api.example.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```typescript
import { signAuthenticatedRequest } from "@buildersgarden/siwa/erc8128";

const request = new Request("https://api.example.com/action", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({ action: "execute" }),
Confidence
80% confidence
Finding
https://api.example.com/

Credential Access

High
Category
Privilege Escalation
Content
**Recommended: Deploy to Railway with one click:**

[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/siwa-keyring-proxy?referralCode=ZUrs1W)

Set `KEYRING_PROXY_SECRET` (shared HMAC secret) and either `KEYSTORE_PASSWORD` (for encrypted-file backend) or `AGENT_PRIVATE_KEY` (to use an existing wallet). After deployment, configure your agent with:
Confidence
80% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
## Important Notes

- **Private keys are NEVER accessible to you.** All signing is delegated to the keyring proxy over HMAC-authenticated HTTP. This is by design — even if you are compromised, the key cannot be extracted.
- **NEVER call the keyring proxy HTTP endpoints directly.** Always use the SDK functions (`createWallet()`, `signMessage()`, etc. from `@buildersgarden/siwa/keystore`) or the CLI commands listed above. The proxy uses a specific HMAC-SHA256 authentication protocol that the SDK handles internally — hand-crafting HTTP requests to the proxy will fail. If you cannot install the SDK, see the "Fallback: Manual HMAC authentication" section in skill.md for the exact protocol specification.
- **SIWA_IDENTITY.md** in `siwa/packages/siwa-testing/` contains your minimal identity state (address, agentId, registry, chainId). Read it to know your current state.
- If a command fails with "Cannot find module", run `cd /home/node/.openclaw/workspace/siwa/packages/siwa-testing && pnpm install` first.
Confidence
72% confidence
Finding
keyring

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal