ClawHub

Base Wallet

Security checks across malware telemetry and agentic risk

Overview

This wallet skill is not clearly malicious, but it needs review because it handles private keys and expands into wallet-linked BaseMail registration, email APIs, and credit-related flows with limited scoping.

Install only if you are comfortable with a skill that can create and use crypto wallets, handle private keys, sign SIWE messages, contact BaseMail.ai, and write wallet-related files under your home directory. Use a test or low-value wallet first, avoid storing secrets in shared shells or CI logs, review any managed wallet and mnemonic files, and require explicit human approval before registration, email actions, credit purchases, or blockchain transactions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents use of environment variables and outbound RPC/API access, but no permissions are declared. In an agent setting, undeclared access to secrets and network resources weakens reviewability and can let a seemingly simple wallet skill exfiltrate keys or interact with unexpected remote services. Because this is a wallet-oriented skill handling private keys, missing permission declarations are more dangerous than in ordinary documentation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior extends beyond wallet management into BaseMail registration, external authentication, bearer token handling, and local metadata updates, while also not fully matching the claimed transaction functionality. This mismatch is dangerous because operators may authorize the skill expecting only local wallet operations, while it can contact third-party services and persist additional sensitive state. In a crypto-wallet context, undocumented remote auth flows materially increase attack surface and trust risk.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The documentation introduces BaseMail account registration under a wallet-focused skill, which is a scope expansion not clearly reflected in the main description. While not inherently malicious, undocumented identity-registration behavior can cause users or agents to sign messages for a third-party service without realizing the broader implications. The risk is elevated slightly because wallet signatures are security-sensitive operations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill says not to store private keys in plaintext files, yet later provides an example that writes the raw private key to disk in JSON. Even with mode 0600, plaintext key-at-rest storage is highly sensitive: local compromise, backups, logs, sync tools, or accidental inclusion can lead to wallet takeover and irreversible asset loss. In a wallet skill, this is a serious contradiction with direct credential-exposure consequences.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The referenced documentation exposes a substantial set of email capabilities—registration, inbox access, sending mail, and credit purchase—that are outside the stated scope of a wallet skill focused on wallet creation, SIWE signing, and transactions. In an agent setting, undocumented or unjustified adjacent capabilities increase the chance of scope creep, unauthorized messaging, data access, and fund usage through the same authenticated context.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Inbox-reading capability is particularly sensitive because it enables access to message contents that may contain personal data, secrets, account links, or authentication material. Given the skill's stated wallet-only purpose, this creates an unjustified data-access path that could let an agent read private communications without users reasonably expecting that behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Email-sending capability allows an agent to communicate externally and, in this case, potentially spend credits for external delivery, which is far beyond the declared wallet scope. This can be abused for spam, phishing, data exfiltration, or unapproved outbound actions, especially dangerous when paired with autonomous agent behavior and token-based authentication.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The credit-purchase flow introduces direct use-of-funds behavior tied to external email capability, enabling the agent to convert ETH into service credits and then consume them. In a wallet-oriented skill, that materially expands financial risk because the agent could trigger purchases or facilitate spending on non-wallet tasks that the user did not intend.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script performs functionality outside the stated wallet skill boundary by registering an external BaseMail account and then persisting email metadata back into the managed wallet file. In an agent context, scope expansion is dangerous because users may grant a wallet/signing capability but not expect autonomous creation of third-party accounts or local profile enrichment tied to their wallet identity.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script introduces an email-account registration workflow that is not justified by the advertised purpose of creating wallets, signing messages, and sending transactions. Even though it uses legitimate SIWE-style authentication, it enables an agent to bind a wallet to a third-party service and obtain persistent credentials, which increases privacy, consent, and unintended-action risk.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The script tells users that managed-mode storage is under ~/.openclaw/wallets, but it actually honors the WALLET_DIR environment variable and may write the private key and mnemonic to any attacker-controlled path. In an agent setting, environment variables are often inherited from the runtime, so a caller or surrounding system could silently redirect secret material to an unexpected location, undermining the safety prompt and increasing risk of credential disclosure.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The skill emphasizes autonomous wallet creation without human intervention or clear opt-in controls. For a system handling cryptographic identities and potentially real funds, automatic creation and control of wallets can bypass governance, create unmanaged assets, and encourage unattended signing or downstream transactions. The context makes this more dangerous because autonomous agents may later use the wallet for external authentication or fund transfers.

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Start

### Create a New Wallet (Recommended)

```bash
# Output as environment variable format (safest)
Confidence
76% confidence
Finding
Create a New Wallet (Recommended) ```bash # Output as environment variable format (safest) node scripts/create-wallet.js --env # Output example: # export WALLET_ADDRESS="0x..." # export PRIVATE_KEY=

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal