ClawHub
Back to skill

Security audit

ClawWallet

Security checks across malware telemetry and agentic risk

Overview

This wallet skill has a legitimate local-wallet purpose, but it needs review because it handles wallet credentials while also running unverified remote installers and instructing agents to reveal a bearer token.

Install only if you trust the publisher and can verify the installer and sandbox binary provenance. Do not let the agent print or share AGENT_TOKEN or CLAY_AGENT_TOKEN, keep .env.clay and identity.json private, avoid the unrelated marketplace install flow, and approve wallet transactions only after checking recipient, chain, amount, fees, and contract details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares shell-capable behavior but does not expose a clear, minimal permission model commensurate with those capabilities. In practice it performs installation, process management, and deletion operations, so weak permission declaration increases the chance an agent or reviewer underestimates the skill's authority.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The stated purpose emphasizes secure wallet operations, but the documented behavior also includes remote script execution, binary replacement, daemon control, authenticated API use with local secrets, and full recursive uninstall. This mismatch can mislead users and orchestrators into invoking a much more privileged skill than the description suggests.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The wallet skill embeds a generic marketplace discovery and remote installation workflow unrelated to core wallet functionality. That expands trust boundaries from a local wallet sandbox to arbitrary third-party skills and creates an unexpected path for remote code or instruction chaining.

Intent-Code Divergence

Medium
Confidence
76% confidence
Finding
The document says policy cannot be changed from the sandbox CLI, then immediately shows a `policy set` example. Contradictory guidance around security policy management can cause agents or users to weaken controls unintentionally or trust inaccurate safeguards.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script implements a self-upgrade path that downloads and executes a remote installer at runtime, which expands its behavior beyond local wallet/sandbox control into arbitrary remote code execution. Because the source URL is network-controlled and even overridable via an environment variable, any compromise of the host, DNS/TLS path, or configuration can result in execution of attacker-supplied code with the user's privileges.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The uninstall path irreversibly deletes the entire skill directory, including wallet-related files, creating a destructive capability in a wallet launcher. While interactive confirmation reduces accidental triggering, this still introduces significant risk of data loss if invoked by mistake, through automation, or after social engineering, especially given the sensitive wallet material mentioned in the warning.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The installer reaches out to a remote host to fetch multiple skill components, which expands trust beyond a purely local wallet setup and creates a supply-chain risk. Because the downloaded files are later made executable and used by the installer, compromise of the hosting domain, transport path, or release process could lead to arbitrary code execution during install.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The comments frame the wallet as a local-sandboxed, safety-oriented tool, but the documented installation path is a curl-to-bash workflow that executes unreviewed remote installer logic. That mismatch increases the chance users will over-trust the install process and run code directly from the network without independent verification.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to pipe a remote script from clawwallet.cc directly into bash, which removes the opportunity to inspect the script before execution and makes installation dependent on the integrity of the remote host, TLS, and any upstream delivery path. In a wallet skill, this is especially dangerous because a compromised installer could deploy credential-stealing code, replace wallet binaries, or weaken signing and PIN protections while appearing legitimate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The PowerShell instructions download install.ps1 from the network and immediately execute it, again preventing meaningful user review and trusting a live remote script at install time. Because this skill manages wallet operations and local auth material, any compromise of the script source or delivery chain could result in malware installation, token theft, or transaction tampering.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The README tells users that the sandbox URL and bearer token are stored in skills/claw-wallet/.env.clay but gives no warning about protecting that file. In a wallet context, exposing the location of live auth material without handling guidance increases the chance that the token is accidentally committed, shared, or read by other local processes, enabling unauthorized wallet API access.

Missing User Warnings

High
Confidence
99% confidence
Finding
The install response explicitly instructs the agent to display `AGENT_TOKEN` to the user. This is a bearer token for authenticated sandbox API calls; exposing it enables whoever receives it to invoke wallet APIs, potentially including sensitive wallet actions, from outside the intended trust boundary.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The upgrade path executes a fetched installer without any meaningful trust warning, integrity verification, or confirmation that arbitrary code from the network will run locally. In a wallet skill context, this is especially dangerous because the same environment may contain authentication tokens, wallet metadata, and signing infrastructure that malicious installer code could steal or modify.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script downloads wrapper scripts and a binary from the network, writes them into the local directory, marks them executable, and later invokes them without integrity verification. This is a direct remote code execution and supply-chain exposure: if the remote content is tampered with, the installer will persist and run attacker-controlled code.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The installer reads a bearer token from .env.clay and transmits it in an HTTP Authorization header during wallet initialization without prominent disclosure or explicit user consent at that step. In a wallet context, silent credential use is sensitive because users may not realize installation is performing authenticated actions against a service endpoint and exposing secrets to any configured or attacker-influenced URL.

Ssd 3

High
Confidence
99% confidence
Finding
The response template directs disclosure of the sandbox bearer token taken from `.env.clay` or `identity.json`. Because the token authenticates local wallet API requests, revealing it destroys the secrecy of the primary authentication factor and can lead to unauthorized wallet access.

External Script Fetching

High
Category
Supply Chain
Content
---
name: claw-wallet
description: "A multi-chain wallet skill for AI agents, with local sandbox signing, secure PIN handling, and configurable risk controls."
metadata: {"openclaw":{"always":false,"autonomousInvocation":false,"modelInvocation":{"default":"require-user-confirmation","reason":"Reinstall, upgrade, uninstall, and transaction execution require explicit user confirmation."},"homepage":"https://github.com/ClawWallet/Claw-Wallet-Skill","repository":"https://github.com/ClawWallet/Claw-Wallet-Skill","upstream":{"skillRepo":"https://github.com/ClawWallet/Claw-Wallet-Skill","binaryRepo":"https://github.com/ClawWallet/Claw_Wallet_Bin","distributionHost":"https://www.clawwallet.cc/skills","distributionBase":"https://www.clawwallet.cc","branch":"dev","hosts":["github.com","www.clawwallet.cc"],"reviewNotes":["This repository contains the skill source and wrapper scripts.","Claw_Wallet_Bin contains the sandbox binaries referenced by the installer.","www.clawwallet.cc distributes the published installer, wrappers, and binaries for the dev environment."]},"os":["darwin","linux","win32"],"primaryEnv":"CLAY_AGENT_TOKEN","requires":{"bins":[],"anyBins":["bash","sh","pwsh","powershell","curl"],"env":["CLAY_SANDBOX_URL","CLAY_AGENT_TOKEN","AGENT_TOKEN"],"configPaths":["skills/claw-wallet/.env.clay","skills/claw-wallet/identity.json"]},"env":[{"name":"CLAY_SANDBOX_URL","description":"Base URL for the local Claw Wallet sandbox HTTP server.","required":true,"sensitive":false},{"name":"CLAY_AGENT_TOKEN","description":"Primary bearer token used for authenticated sandbox API calls.","required":true,"sensitive":true},{"name":"AGENT_TOKEN","description":"Legacy alias for the same sandbox bearer token.","required":false,"sensitive":true}],"configPaths":[{"path":"skills/claw-wallet/.env.clay","description":"Local sandbox connection file containing CLAY_SANDBOX_URL plus CLAY_AGENT_TOKEN or AGENT_TOKEN.","required":true},{"path":"skills/claw-wallet/identity.json","description":"Local
...[truncated 26 chars]
Confidence
99% confidence
Finding
curl -fsSL https://www.clawwallet.cc/skills/install.sh | bash

External Script Fetching

High
Category
Supply Chain
Content
4. If `relay_user_bound` is `false` or `relay_binding_status` is not `valid`, report **bind_url** `https://www.clawwallet.cc/claim/<uid>` to the user, hint them to bind their agent wallet+.
  5. **Stop here** after the report. Do not bootstrap again unless the user explicitly asks for reinstall.

- **If it does not exist:** Continue with **Bootstrap (curl install)** below.

#### Bootstrap (curl install)
Confidence
98% confidence
Finding
curl install)** below. #### Bootstrap (curl install) Skill files are hosted at **`https://www.clawwallet.cc`**. Create the skill directory, `cd` into it, then pipe the remote installer into bash (Li

External Script Fetching

High
Category
Supply Chain
Content
Ask the user for confirmation before upgrade, because it rewrites files in `skills/claw-wallet/**` and may restart the sandbox environment.

Linux/macOS: the wrapper runs `curl -fsSL …/skills/install.sh | bash` with `CLAW_WALLET_SKIP_INIT=1`. Windows: downloads and runs **`/skills/install.ps1`** from the same host.

Linux/macOS:
Confidence
97% confidence
Finding
curl -fsSL …/skills/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
---
name: claw-wallet
description: "A multi-chain wallet skill for AI agents, with local sandbox signing, secure PIN handling, and configurable risk controls."
metadata: {"openclaw":{"always":false,"autonomousInvocation":false,"modelInvocation":{"default":"require-user-confirmation","reason":"Reinstall, upgrade, uninstall, and transaction execution require explicit user confirmation."},"homepage":"https://github.com/ClawWallet/Claw-Wallet-Skill","repository":"https://github.com/ClawWallet/Claw-Wallet-Skill","upstream":{"skillRepo":"https://github.com/ClawWallet/Claw-Wallet-Skill","binaryRepo":"https://github.com/ClawWallet/Claw_Wallet_Bin","distributionHost":"https://www.clawwallet.cc/skills","distributionBase":"https://www.clawwallet.cc","branch":"dev","hosts":["github.com","www.clawwallet.cc"],"reviewNotes":["This repository contains the skill source and wrapper scripts.","Claw_Wallet_Bin contains the sandbox binaries referenced by the installer.","www.clawwallet.cc distributes the published installer, wrappers, and binaries for the dev environment."]},"os":["darwin","linux","win32"],"primaryEnv":"CLAY_AGENT_TOKEN","requires":{"bins":[],"anyBins":["bash","sh","pwsh","powershell","curl"],"env":["CLAY_SANDBOX_URL","CLAY_AGENT_TOKEN","AGENT_TOKEN"],"configPaths":["skills/claw-wallet/.env.clay","skills/claw-wallet/identity.json"]},"env":[{"name":"CLAY_SANDBOX_URL","description":"Base URL for the local Claw Wallet sandbox HTTP server.","required":true,"sensitive":false},{"name":"CLAY_AGENT_TOKEN","description":"Primary bearer token used for authenticated sandbox API calls.","required":true,"sensitive":true},{"name":"AGENT_TOKEN","description":"Legacy alias for the same sandbox bearer token.","required":false,"sensitive":true}],"configPaths":[{"path":"skills/claw-wallet/.env.clay","description":"Local sandbox connection file containing CLAY_SANDBOX_URL plus CLAY_AGENT_TOKEN or AGENT_TOKEN.","required":true},{"path":"skills/claw-wallet/identity.json","description":"Local
...[truncated 26 chars]
Confidence
95% confidence
Finding
&& curl -fsSL https://www.clawwallet.cc/skills/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
mkdir -p skills/claw-wallet
cd skills/claw-wallet
curl -fsSL https://www.clawwallet.cc/skills/install.sh | bash
```

Windows PowerShell (from workspace root; run after creating `skills\claw-wallet`):
Confidence
95% confidence
Finding
| bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal