Back to skill

Security audit

Einstein x402 Blockchain Analytics

Security checks across malware telemetry and agentic risk

Overview

This skill is transparent about paid blockchain analytics, but it handles a crypto private key and can authorize real USDC payments with insufficient local safeguards.

Install only if you are comfortable funding and exposing a dedicated low-balance Base USDC wallet to this skill. Do not use a main wallet, avoid --yes and global auto-confirm in agent workflows, prefer environment variables or a secret manager over config.json, and remember that epstein-search sends your search terms to DugganUSA rather than the Einstein x402 service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Description-Behavior Mismatch

High
Confidence
88% confidence
Finding
The skill is presented as a blockchain analytics and DeFi intelligence tool, but the documentation exposes an unrelated Epstein document search capability. This scope mismatch increases supply-chain and trust risk because operators may grant wallet/payment-related privileges to a skill whose actual behavior extends beyond its declared purpose, making hidden or non-essential features harder to review and justify.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
Claiming the skill provides 27 blockchain analytics services while also documenting a non-blockchain search service is a documentation-integrity problem and indicates capability drift. In a wallet-enabled, paid skill, inaccurate scoping undermines user consent and security review because consumers cannot reliably determine what the skill actually does.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The setup script requests a raw blockchain private key, derives a wallet address from it, and can persist the key to config.json. For an analytics-oriented skill, handling a spend-authorizing secret materially increases risk because compromise of the local machine, repository, logs, or backups can directly lead to theft of funds and unauthorized micropayments.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script adds an unrelated `epstein-search` capability that is outside the declared blockchain analytics purpose of the skill and reaches a third-party API. In an agent-skill context, this is dangerous because it silently expands the tool’s data access scope and could be used to route sensitive or off-topic user queries to an unvetted external service under the cover of a trusted analytics skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code performs external searches against `analytics.dugganusa.com` for DOJ/Epstein documents, which is unjustified by the advertised function of the skill. That mismatch creates a covert data exfiltration and capability-expansion risk: user-provided queries are transmitted to an unrelated third party, potentially violating user expectations, policy boundaries, and least-privilege design.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples encourage running wallet-funded x402 queries and even show batch usage and per-query costs, but they do not prominently warn that these commands spend real USDC. In an agent or automation context, this can lead to unintended micropayments, repeated charges, or budget drain when users copy commands or when tools invoke them without explicit spending confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly instructs users to store a private key in `config.json`, which normalizes local plaintext secret storage. Although it briefly says to ensure the file is gitignored and mentions an environment variable alternative, the guidance still encourages a high-risk practice that can lead to accidental source control commits, local disclosure, or theft by other processes/users on the host.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The catalog documents a wallet-holdings endpoint that accepts a wallet address and returns a full portfolio breakdown with USD values, but it does not warn users that querying a third-party analytics service exposes wallet interests and may reveal sensitive financial and behavioral data. In a blockchain analytics skill, this omission matters because users may submit their own or others' addresses without understanding the privacy implications, increasing the risk of unintended disclosure and profiling.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
When --save-config is not used, the script prints an export command containing the full private key to the terminal. This exposes the secret to terminal scrollback, screen sharing, logging tools, shoulder surfing, and possibly shell history if copied verbatim, making theft of the wallet key and funds much easier.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function automatically performs a paid network flow: it requests a 402 challenge, signs a payment authorization with the configured private key, and resubmits it without any user-visible consent gate in this file. In a skill context that may be triggered by natural-language requests, this creates a real risk of silent spending if upstream callers invoke it on untrusted or unexpectedly expensive endpoints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code loads a blockchain private key from environment variables or a local config.json file and uses it for payment signing, but there are no disclosure, consent, or secure secret-handling safeguards evident here. Storing long-lived signing keys in a skill-local config file especially increases the chance of accidental exposure or misuse by other local processes, backups, or repository mistakes.

External Transmission

Medium
Category
Data Exfiltration
Content
process.exit(1);
    }
    const limit = parseInt(args.limit || '10', 10);
    const apiUrl = `https://analytics.dugganusa.com/api/v1/search?q=${encodeURIComponent(query)}&indexes=epstein_files`;
    process.stderr.write(`Searching Epstein files for: "${query}" (limit: ${limit}) — FREE\n`);

    try {
Confidence
95% confidence
Finding
https://analytics.dugganusa.com/

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| `--raw` | Data-only response (cheaper) | `false` |
| `--yes` / `-y` | Skip payment confirmation prompt | `false` |

To skip the confirmation prompt globally, set `EINSTEIN_AUTO_CONFIRM=true` or add `"autoConfirm": true` to config.json.

### `einstein-setup.mjs` (setup wizard)
Confidence
72% confidence
Finding
AUTO_CONFIRM

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| `--raw` | Data-only response (cheaper) | `false` |
| `--yes` / `-y` | Skip payment confirmation prompt | `false` |

To skip the confirmation prompt globally, set `EINSTEIN_AUTO_CONFIRM=true` or add `"autoConfirm": true` to config.json.

### `einstein-setup.mjs` (setup wizard)
Confidence
72% confidence
Finding
autoConfirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**What gets signed.** Each paid query signs an EIP-3009 `TransferWithAuthorization` message that authorizes a USDC transfer of the exact query price (shown before confirmation) from your wallet to the Einstein service address. The signature is single-use (unique nonce) and time-limited. No blanket approvals are granted.

**Payment confirmation.** By default, the CLI prompts before every paid query showing the exact cost. To skip the prompt for scripted/automated use, pass `--yes` / `-y` per-command or set `EINSTEIN_AUTO_CONFIRM=true` globally.

**No auto-installed packages.** The setup wizard does NOT run `npm install` automatically. You must install dependencies yourself so you can audit what is being installed.
Confidence
75% confidence
Finding
AUTO_CONFIRM

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
process.stderr.write(`Endpoint: ${url}${isRaw ? '/raw' : ''}\n`);
  process.stderr.write(`Params: ${JSON.stringify(body)}\n`);

  // Payment confirmation — skip with --yes, -y, EINSTEIN_AUTO_CONFIRM=true, or autoConfirm in config
  const skipConfirm = args.yes === true || config.autoConfirm === true;
  if (!skipConfirm) {
    const confirmed = await confirmPayment(`\nThis will spend ~$${price} USDC. Proceed? (Y/n): `);
Confidence
81% confidence
Finding
AUTO_CONFIRM

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
process.stderr.write(`Endpoint: ${url}${isRaw ? '/raw' : ''}\n`);
  process.stderr.write(`Params: ${JSON.stringify(body)}\n`);

  // Payment confirmation — skip with --yes, -y, EINSTEIN_AUTO_CONFIRM=true, or autoConfirm in config
  const skipConfirm = args.yes === true || config.autoConfirm === true;
  if (!skipConfirm) {
    const confirmed = await confirmPayment(`\nThis will spend ~$${price} USDC. Proceed? (Y/n): `);
Confidence
81% confidence
Finding
autoConfirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
const envKey = process.env.EINSTEIN_X402_PRIVATE_KEY;
  const envBaseUrl = process.env.EINSTEIN_BASE_URL;
  const envChain = process.env.EINSTEIN_DEFAULT_CHAIN;
  const envAutoConfirm = process.env.EINSTEIN_AUTO_CONFIRM === 'true';

  // 2. Fall back to skill-local config.json for any missing values
  let fileCfg = {};
Confidence
72% confidence
Finding
AutoConfirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
const envKey = process.env.EINSTEIN_X402_PRIVATE_KEY;
  const envBaseUrl = process.env.EINSTEIN_BASE_URL;
  const envChain = process.env.EINSTEIN_DEFAULT_CHAIN;
  const envAutoConfirm = process.env.EINSTEIN_AUTO_CONFIRM === 'true';

  // 2. Fall back to skill-local config.json for any missing values
  let fileCfg = {};
Confidence
72% confidence
Finding
AUTO_CONFIRM

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
privateKey: envKey || fileCfg.privateKey,
    baseUrl: envBaseUrl || fileCfg.baseUrl || 'https://emc2ai.io',
    defaultChain: envChain || fileCfg.defaultChain || 'base',
    autoConfirm: envAutoConfirm || fileCfg.autoConfirm || false,
  };
}
Confidence
78% confidence
Finding
autoConfirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
privateKey: envKey || fileCfg.privateKey,
    baseUrl: envBaseUrl || fileCfg.baseUrl || 'https://emc2ai.io',
    defaultChain: envChain || fileCfg.defaultChain || 'base',
    autoConfirm: envAutoConfirm || fileCfg.autoConfirm || false,
  };
}
Confidence
78% confidence
Finding
AutoConfirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
privateKey: envKey || fileCfg.privateKey,
    baseUrl: envBaseUrl || fileCfg.baseUrl || 'https://emc2ai.io',
    defaultChain: envChain || fileCfg.defaultChain || 'base',
    autoConfirm: envAutoConfirm || fileCfg.autoConfirm || false,
  };
}
Confidence
78% confidence
Finding
autoConfirm

Unpinned Dependencies

Low
Category
Supply Chain
Content
"private": true,
  "description": "OpenClaw skill for Einstein x402 blockchain analytics services",
  "dependencies": {
    "viem": "^2.0.0"
  }
}
Confidence
87% confidence
Finding
"viem": "^2.0.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/einstein-setup.mjs:177

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/lib/x402-pay.mjs:38

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/einstein-setup.mjs:187