ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawWallet

v0.1.1

A multi-chain wallet skill for AI agents, with local sandbox signing, secure PIN handling, and configurable risk controls.

2· 70·0 current·0 all-time
byClaw Wallet@clawwalletteam·duplicate of @clawwalletteam/claw-wallet-beta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to provide a local multi-chain wallet sandbox and its instructions require reading local sandbox config (.env.clay, identity.json), using a local HTTP API, and optionally cloning a GitHub repo and running its installer — these capabilities are consistent with a wallet skill. However, the registry metadata at the top of the package states 'Required env vars: none' and 'Required config paths: none', whereas both SKILL.md and skill.yml explicitly reference CLAY_SANDBOX_URL, CLAY_AGENT_TOKEN/AGENT_TOKEN and config files. This mismatch is an incoherence that should be resolved.
!
Instruction Scope
The runtime instructions explicitly tell the agent to read local secret-bearing files (skills/claw-wallet/.env.clay, identity.json) for bearer tokens and then to prompt the user to open an external URL (https://www.clawwallet.cc/claim/<uid>) and to accept a message_hash from the user which the agent posts to the sandbox bind API. Directing the user to an external domain for a bind/claim flow and then performing agent-assisted binding/forwarding is a high-value operation (it may delegate control or associate the sandbox wallet with a remote account). These behaviors are plausible for a wallet but represent meaningful exfiltration/privilege-transfer risk and should only be done after a code/repo and domain provenance check. The instructions also instruct cloning and executing an installer script from the repo — this expands scope to running arbitrary remote code.
Install Mechanism
There is no packaged code in the skill bundle itself (instruction-only), but the declared install mechanism is a bootstrap-script that clones https://github.com/ClawWallet/Claw-Wallet-Skill.git and runs install.sh / install.ps1. Cloning from GitHub is common and traceable, but running an installer from a remote repo is a moderate risk (arbitrary code execution). The skill does advise reviewing the repository before executing the installer, which is appropriate. No shorteners or unknown download hosts are used.
Credentials
The env/config access the skill asks for (CLAY_SANDBOX_URL, CLAY_AGENT_TOKEN or AGENT_TOKEN and local identity files) is proportionate to a local sandbox wallet that needs a URL and bearer token. However, the package registry metadata at the top incorrectly claimed no required env/config; skill.yml and SKILL.md do require tokens and config paths. That inconsistency should be clarified. The number and sensitivity of requested secrets (agent bearer token) is appropriate for a wallet but requires careful handling and review.
Persistence & Privilege
The skill writes persistent wallet state into the workspace and starts a local sandbox process (via its wrapper scripts), which is expected for a local wallet. The skill is not marked always:true and does not request elevated system-wide privileges beyond workspace files and starting a local process; this is proportionate to its function. The fact that it will persist agent tokens in workspace files is expected but increases the importance of reviewing file permissions and repository provenance.
What to consider before installing
This skill behaves like a real local wallet integration but has several red flags you should address before installing: 1) Confirm the GitHub repository and the domain https://www.clawwallet.cc are legitimate and under the control of the project you trust; manually review the install.sh/install.ps1 and any code in that repo before running them. 2) Understand that the installer will write persistent wallet state and bearer tokens into skills/claw-wallet (check file permissions and secrets in .env.clay and identity.json). 3) Be cautious about the bind/claim flow — directing a user to an external claim URL and then posting challenge responses can associate your local wallet with a remote service and effectively transfer control; only proceed if you trust the external service. 4) Ask the publisher to fix the metadata mismatch (registry metadata vs SKILL.md/skill.yml) so required environment variables and config paths are clearly declared. If you cannot verify repo and domain provenance, do not run the installer or perform the bind step.

Like a lobster shell, security has layers — review code before you run it.

latestvk970mm2c0y309jskpd8bvtgpd983xn9y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments