ClawHub
Back to skill

Security audit

cdnsoft-wallet

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real EVM wallet skill, but it gives an agent broad authority to sign irreversible crypto actions without strong built-in limits.

Review carefully before installing. Use only a dedicated low-balance wallet, require explicit approval for every transaction, set x402 --max-amount and swap --min-out, prefer allowlisted recipients/RPC/API domains, and avoid --calldata unless a human can decode and verify the exact contract call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill exposes sensitive capabilities—file read, file write, and network access—without any declared permissions or policy surface to warn or constrain the caller. In this context, the tool can read private keys, contact arbitrary RPC/API endpoints, sign blockchain actions, and write audit logs, so the missing permission declaration materially increases the chance of unsafe invocation and poor sandboxing decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose frames the skill as a simple ETH/ERC20 transfer logger, but the usage examples and options reveal materially more powerful behaviors: arbitrary calldata contract execution, Uniswap swaps, x402 HTTP payment flows, and EIP-712 authorization signing. This mismatch is dangerous because operators or higher-level agents may grant trust appropriate for a limited transfer tool while unknowingly enabling generic on-chain execution and off-chain payment authorization, which can lead to asset loss or interaction with malicious contracts/services.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation expands the skill from a transfer-and-audit wallet into a much broader financial execution tool by advertising swaps, arbitrary calldata contract calls, and x402 paid request flows. In an autonomous-agent context, scope expansion is dangerous because it materially increases what an agent can spend, sign, or trigger beyond the declared purpose, undermining least privilege and making misuse or prompt-induced abuse more likely.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Advertising arbitrary contract calls via raw calldata gives the skill effectively unbounded on-chain execution power, far beyond simple ETH/ERC20 transfers. That can enable approvals, token drains, proxy interactions, DeFi position changes, or signing agent-directed transactions that defeat the wallet's supposed narrow and auditable purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The x402 flow turns the wallet skill into a networked API client that probes endpoints, interprets payment challenges, signs EIP-712 data, retries requests, and logs outcomes. That is a meaningful capability increase because it allows remote services to influence spending behavior and request construction, creating additional paths for unauthorized payments or data disclosure.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file header and skill description frame this tool as a wallet transfer/logger, but the implementation also supports Uniswap swaps and arbitrary contract interactions. In an autonomous-agent context, this scope mismatch is dangerous because downstream agents or operators may grant it broader trust than intended, enabling actions far beyond simple ETH/ERC20 transfers.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The --calldata path allows the caller to send arbitrary EVM contract calls signed by the wallet, with no validation of target contract, function selector, ABI, or policy constraints. That effectively turns a transfer tool into a general-purpose on-chain execution primitive, which could approve token spenders, interact with malicious contracts, drain assets, or perform any wallet-authorized action.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation gives operational examples for broadcasting crypto transactions and making paid HTTP requests, but it does not prominently warn that blockchain transfers are irreversible, that swaps can lose value, or that request headers and bodies may contain secrets or personal data sent to third parties. In an agent-facing tool, missing safety warnings increase the chance of accidental fund loss or sensitive-data transmission under autonomous control.

Unpinned Dependencies

Low
Category
Supply Chain
Content
eth-account>=0.11.0
requests>=2.28.0
Confidence
95% confidence
Finding
eth-account>=0.11.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
eth-account>=0.11.0
requests>=2.28.0
Confidence
98% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: eth-account — 1 advisory(ies): CVE-2022-1930 (Regular expression denial of service in eth-account)

Low
Category
Supply Chain
Confidence
90% confidence
Finding
eth-account

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
99% confidence
Finding
requests

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.