AgentsBank
WarnAudited by ClawScan on May 10, 2026.
Overview
This crypto wallet skill is purpose-aligned, but it can move funds and handle wallet secrets while its safety metadata and documentation do not reliably enforce the promised user approval.
Only install this if you trust AgentsBank and are prepared to strictly control wallet credentials. Use testnet or small balances first, pin the SDK version, store secrets in a secret manager, never log recovery words, and require out-of-band user confirmation before any transaction, wallet creation, registration, or message-signing operation.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent calls this method with valid wallet credentials, crypto assets could be transferred without a separate confirmation enforced by the SDK.
The SDK exposes a direct POST that sends funds from a wallet, and the shown method contains no built-in user confirmation or approval check around this irreversible financial action.
async send(...) { return this.request<SendTransactionResponse>('POST', `/api/wallets/${walletId}/send`, request); }Require an explicit user confirmation outside the model before any send/create/register/sign operation, and wrap or disable these methods for autonomous agent use unless strict allowlists and spending limits are enforced.
A user may believe the skill is read-only or consent-gated when the provided artifacts do not actually enforce that boundary.
This safety statement is contradicted by the supplied metadata, which lists disable-model-invocation as false, and by SDK code that exposes direct write/transaction methods.
The following operations **will not execute autonomously** ... `(disableModelInvocation: true is set by default)`
Align the registry metadata and SDK behavior with the safety claims: set model invocation restrictions for financial writes, document the real behavior, and make approval checks explicit and enforceable.
Anyone with access to logs or console history could obtain recovery words and potentially take over wallets or accounts.
The registration example prints wallet recovery words to console/log output, which is unsafe handling of material that can control wallet recovery and account access.
// IMPORTANT: Save recovery words securely! console.log(result.recovery_words);
Never print recovery words, API keys, passwords, or tokens; declare required credentials in metadata and only display recovery material through a secure, user-controlled secret-handling flow.
A transient network failure could lead to repeated transaction attempts or duplicate effects if the backend does not enforce idempotency.
The generic retry wrapper applies to requests broadly; because the same client sends transaction POSTs, a timeout or transient error could resubmit a non-idempotent financial operation unless the server deduplicates it.
const maxAttempts = this.retryConfig.maxAttempts || 3; ... return await this.requestInternal<T>(method, path, body);
Disable automatic retries for non-idempotent financial POSTs or require idempotency keys and clear transaction-state checks before retrying.
Users could install a different SDK version than the one implied by the skill metadata.
The install instruction is unpinned, and the supplied package.json/package-lock show version 1.0.7 while the registry and SKILL.md describe version 1.0.6, so the installed package may not match the reviewed version.
npm install @agentsbankai/sdk
Pin the exact package version, align registry and package versions, and verify the npm package provenance before use.