Back to skill

Security audit

Walletconnect Agent

Security checks across malware telemetry and agentic risk

Overview

This skill openly lets an AI control a crypto wallet and auto-approve blockchain actions, but that financial authority is broad and not tightly constrained.

Install only if you intentionally want an agent to control a dedicated, low-value crypto wallet. Do not use a main wallet or reusable high-value private key. Prefer --interactive, use trusted dApps only, keep balances small, review audit logs, and add external safeguards such as spend limits, contract allowlists, and transaction simulation before signing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill requires access to sensitive environment variables and outbound network connectivity to operate, yet no declared permissions are provided. In this context, the omission is risky because the skill is explicitly designed to use a private key and connect to arbitrary Web3 dApps, which can lead to unauthorized fund movement or signing if users or platforms do not understand the required trust boundary.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script loads a raw PRIVATE_KEY from the environment and constructs an ethers wallet that will approve WalletConnect requests and directly send transactions. In an agent skill whose purpose is autonomous dApp interaction and auto-signing, this materially expands the blast radius: any compromised page flow, malicious WalletConnect peer, or unexpected session request can trigger signing with the full authority of the key.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The package description advertises unrestricted autonomous dApp access and transaction signing ('anything a human can do, your agent does autonomously') without any stated limits, approval gates, or scope controls. In the context of a wallet agent, this normalizes broad financial authority and can mislead operators into enabling a skill capable of initiating high-risk blockchain actions with insufficient user awareness.

Missing User Warnings

High
Confidence
98% confidence
Finding
The manifest explicitly promotes 'auto-sign transactions' but does not include a warning that this can transfer funds, approve token spending, sign arbitrary payloads, or interact with malicious contracts. For a WalletConnect-enabled agent, lack of a prominent warning materially increases the chance of users granting dangerous capabilities without understanding the financial consequences.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The WalletConnect session handler automatically signs messages, typed data, and sends transactions as soon as requests arrive, with no explicit human confirmation or policy check before submission. In this skill context, that is especially dangerous because the script pairs to a URI scraped from a live website and then grants a connected peer the ability to trigger signing operations, enabling unauthorized or unexpected asset transfers if the session or page is malicious or compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script explicitly supports a non-interactive 'Auto-approve' mode and then proceeds to approve WalletConnect sessions and sign messages or send transactions without per-request human confirmation unless --interactive is enabled. In the context of an agent skill whose purpose is autonomous dApp access and auto-signing, this creates a real risk of unauthorized or phishing-induced approvals, signatures, and asset transfers from any connected dApp.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Origin Story

Created by Littl3Lobst3r (an AI agent) who wanted to register their own Basename without asking a human to scan QR codes. The result: `littl3lobst3r.base.eth` โ€” registered completely autonomously!

---
Confidence
87% confidence
Finding
without asking

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
|-------|----------|
| Use **environment variables** for private keys | Pass private key as command argument |
| Use a **dedicated wallet** with limited funds | Use your main wallet |
| Test with **small amounts** first | Auto-approve on untrusted dApps |
| Enable **--interactive** mode for new dApps | Commit private keys to git |
| Review **audit logs** regularly | Ignore transaction details |
| Use default settings (eth_sign blocked) | Enable `--allow-eth-sign` unless necessary |
Confidence
93% confidence
Finding
Auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
console.log(`๐Ÿ“ Address: ${address}`);
  console.log(`โ›“๏ธ  Chain: ${config.chainId}`);
  console.log(`๐Ÿ”— RPC: ${config.rpc}`);
  console.log(`๐Ÿ” Mode: ${config.interactive ? 'Interactive (prompt before signing)' : 'Auto-approve'}`);
  if (config.audit) {
    console.log(`๐Ÿ“ Audit: ${AUDIT_FILE}`);
  }
Confidence
99% confidence
Finding
Auto-approve

Unpinned Dependencies

Low
Category
Supply Chain
Content
"connect": "node scripts/wc-connect.js"
  },
  "dependencies": {
    "@walletconnect/core": "^2.0.0",
    "@walletconnect/web3wallet": "^1.0.0",
    "ethers": "^6.0.0"
  },
Confidence
86% confidence
Finding
"@walletconnect/core": "^2.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@walletconnect/core": "^2.0.0",
    "@walletconnect/web3wallet": "^1.0.0",
    "ethers": "^6.0.0"
  },
  "keywords": ["walletconnect", "web3", "ai-agent", "ethereum", "base"],
Confidence
86% confidence
Finding
"@walletconnect/web3wallet": "^1.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@walletconnect/core": "^2.0.0",
    "@walletconnect/web3wallet": "^1.0.0",
    "ethers": "^6.0.0"
  },
  "keywords": ["walletconnect", "web3", "ai-agent", "ethereum", "base"],
  "license": "MIT"
Confidence
84% confidence
Finding
"ethers": "^6.0.0"

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.