Crypto Wallet
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it can initiate and confirm cryptocurrency withdrawals using wallet authentication and a transaction PIN, so it needs careful review before use.
Only install or use this skill if you trust the AIOT wallet service and API domain. Before any withdrawal, require the agent to show the exact coin, network, amount, fees, and destination address, then approve it explicitly; do not provide a transaction PIN unless everything matches.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unintended invocation could send cryptocurrency to the wrong address or network, which may be irreversible.
These instructions expose high-impact API actions that can move cryptocurrency to an external wallet. The flow includes a quote and PIN, but does not explicitly require a final displayed review and approval of destination, network, amount, and fees before the withdrawal is initiated or confirmed.
`initiate_withdraw` — Start a crypto withdrawal to an external address ... `confirm_withdraw` — Confirm a pending crypto withdrawal ... Requires transaction PIN
Require explicit user confirmation after showing the exact quote, amount, network, destination address, and fees, and avoid any autonomous withdrawal action without that confirmation.
The agent may handle credentials that authorize wallet access and withdrawals, increasing the impact of mistakes, compromised sessions, or misdirected API calls.
The agent is expected to use wallet authentication and collect a transaction PIN for financial actions. The no-cache/no-log rule is good, but the artifacts do not define a secure input channel, token scope, or other containment for these high-privilege credentials.
If a tool requires authentication, verify the session has a valid bearer token before calling it. If a tool requires a transaction PIN, ask the user for it fresh each time. Never cache or log PINs.
Use least-privilege authentication, collect PINs only through a secure trusted flow if available, and ensure the user can verify the account and transaction before credentials are used.
Users may have limited ability to confirm that the wallet API and publisher are trustworthy before sending funds or credentials through the skill.
For a wallet skill that can generate deposit addresses and withdraw crypto, missing provenance and no homepage make it harder for users to verify the provider and intended API endpoint.
Source: unknown; Homepage: none
Verify the publisher, API domain, and wallet service out of band before installing or using the skill for real funds.