ClawHub

Sui Agent Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a real Sui agent wallet, but it exposes seed phrases and signing controls through unauthenticated localhost APIs that websites or local processes could abuse.

Install only for test wallets or throwaway funds unless the server is hardened. Do not use it with real SUI while /mnemonic, /import, /sign-raw, and /sign-and-execute are exposed without authentication, strict origin checks, and explicit per-request approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The background worker forwards any incoming `SUI_AGENT_REQUEST` message's `method` and `payload` directly to a privileged local server, with no allowlist, authentication, authorization, or user confirmation. In an extension architecture, this creates a broad RPC bridge from content-script reachable code to localhost services, which can expose sensitive wallet or agent functionality and let untrusted pages indirectly drive local actions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code exposes the full wallet object globally as window.__suiAgentWallet, not merely a limited debug handle. Any script running in the page context can discover and invoke wallet features such as connect, signTransaction, signAndExecuteTransaction, and signPersonalMessage, expanding the attack surface to all page JavaScript and making unauthorized signing attempts or wallet interaction easier.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The code comments describe transaction parsing as display-only, but the approval flow later accepts structured JSON transaction data, reconstructs a new Transaction, builds it, and then signs or executes it. This creates a dangerous mismatch between what an operator may think is being reviewed and what is actually authorized, enabling deceptive transaction presentation and unintended signing/execution of materially different actions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation claims the seed phrase is stored securely in macOS Keychain, but the implementation also encourages retrieval via a localhost endpoint and prints the mnemonic to console if Keychain storage fails. This creates a misleading security boundary and increases the chance that operators or downstream code will treat the wallet as safer than it is, while the seed can still be exposed through logs or auxiliary interfaces.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation explicitly advertises a local HTTP endpoint that returns the wallet mnemonic, which normalizes secret extraction and makes theft of all wallet assets trivial if any local process, agent, browser extension, or user copies the phrase. Even if intended for backup, exposing a seed phrase over an API is fundamentally unsafe because possession of the mnemonic grants full control over current and future derived accounts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The direct signing and sign-and-execute examples encourage sending opaque transaction bytes to an API without prominent warnings that approval can transfer funds, publish contracts, or perform irreversible on-chain actions. In an agent setting, this increases the chance of accidental or manipulated signing of harmful transactions, especially when users may treat the flow as routine automation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code sends page-derived context (`origin`, `url`, and `tabId`) to a local HTTP/WebSocket server automatically, but there is no evidence here of notice, consent, or minimization. This can leak browsing context and sensitive URL data to another local process, which is especially risky because localhost services are outside the browser's normal extension permission UX and may process data more broadly than users expect.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This injected provider forwards signing and execution requests to the background from any page script that can call the provider, while this file enforces no local user confirmation, origin validation, or request throttling. In the context of an injected wallet provider, that is dangerous because untrusted dapp JavaScript can trigger sensitive operations and the safety of the system is entirely delegated to unseen downstream components.

Missing User Warnings

High
Confidence
99% confidence
Finding
The /mnemonic endpoint returns the wallet seed phrase over an unauthenticated local HTTP API with permissive CORS. Any local webpage, browser extension, or malware able to reach localhost can exfiltrate the mnemonic, permanently compromising all current and future wallet accounts derived from it.

Missing User Warnings

High
Confidence
98% confidence
Finding
The /sign-raw and /sign-and-execute endpoints perform high-risk wallet operations immediately on request, without any authentication, authorization, or separate approval workflow. Combined with Access-Control-Allow-Origin: * and a localhost listener, a malicious website or local process could induce signing or direct on-chain execution of attacker-controlled transactions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The exportMnemonic() method returns the raw seed phrase directly with no access control, confirmation, redaction, or audit. In an agent/server context, any exposed route, plugin, prompt flow, or compromised component that can call this method can fully steal the wallet and irreversibly transfer assets.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The importMnemonic() method overwrites the active wallet seed and resets accounts without any confirmation or safeguard, which can silently replace the operator's wallet context. In an agent setting, a malicious or mistaken invocation could redirect future signing operations to attacker-controlled accounts, cause loss of access to the prior wallet state, or confuse operators about which assets they control.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs users to retrieve the wallet seed phrase in plaintext via `curl` from a local server, directly exposing the most sensitive wallet secret through a convenience interface. This is highly dangerous because local malware, prompt-injected agents, shell history, logs, screenshots, or copied output can all capture the mnemonic and permanently compromise the wallet.

Ssd 3

High
Confidence
97% confidence
Finding
Across the API section, the documentation treats mnemonic exposure and import/export of seed phrases as standard agent-facing operations, which trains integrators to handle wallet secrets in natural language and API payloads. In an AI-agent context this is especially risky, because prompts, transcripts, telemetry, and tool outputs can inadvertently retain or retransmit the seed phrase, enabling full wallet takeover.

Credential Access

High
Category
Privilege Escalation
Content
const ACCOUNT_NAME = 'mnemonic';

/**
 * Store seed phrase in macOS Keychain
 */
export function storeMnemonic(mnemonic: string): boolean {
  try {
Confidence
98% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
}

/**
 * Retrieve seed phrase from macOS Keychain
 */
export function retrieveMnemonic(): string | null {
  try {
Confidence
88% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
console.log('  🔐 NEW WALLET CREATED');
      console.log('═══════════════════════════════════════════════════════════');
      console.log('');
      console.log('  Seed phrase stored securely in macOS Keychain.');
      console.log('');
      console.log('  To view your seed phrase for backup:');
      console.log('    curl http://localhost:3847/mnemonic');
Confidence
96% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
console.log('═══════════════════════════════════════════════════════════');
      console.log('');
    } else {
      // Fallback: print to console if Keychain fails
      console.log('');
      console.log('⚠️  Failed to store in Keychain. SAVE THIS SEED PHRASE:');
      console.log('');
Confidence
98% confidence
Finding
Keychain

Credential Access

High
Category
Privilege Escalation
Content
} else {
      // Fallback: print to console if Keychain fails
      console.log('');
      console.log('⚠️  Failed to store in Keychain. SAVE THIS SEED PHRASE:');
      console.log('');
      console.log(`  ${mnemonic}`);
      console.log('');
Confidence
99% confidence
Finding
Keychain

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal