Sui Agent Wallet
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real Sui wallet skill, but it exposes seed phrase and transaction-signing controls through broad, unauthenticated local/browser interfaces that need review before use.
Treat this as a high-risk wallet integration. Use only testnet/devnet funds until the local API has authentication, wildcard CORS is removed, seed export is disabled or tightly gated, and the extension is limited to trusted DApps. Do not store valuable mainnet assets in this wallet without an independent security review.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious local process or web context that can reach the localhost server may be able to approve or trigger wallet actions, including signing or executing transactions.
The local server applies wildcard CORS and exposes transaction approval/signing as HTTP endpoints. The shown approval route performs signing/execution and resolves the pending request without any visible authentication, token, CSRF protection, or origin allowlist.
'Access-Control-Allow-Origin': '*', ... if (path.startsWith('/approve/') && req.method === 'POST') { ... result = await wallet.signAndExecuteTransaction(txBytes, request.payload.options); ... request.resolve?.(result); }Require a per-session secret token, disable wildcard CORS, bind explicitly to localhost, add origin allowlists, and require a separate human confirmation for mainnet or value-moving transactions.
Anyone or anything that obtains the seed phrase can take over the wallet and move funds on any supported network.
The skill documents an HTTP endpoint that returns the wallet seed phrase. A seed phrase is the root credential for the wallet and controls all derived accounts.
# Get seed phrase (for backup) curl http://localhost:3847/mnemonic
Remove the HTTP seed-export endpoint or gate it behind explicit local user confirmation and strong authentication. Do not use this wallet for valuable mainnet assets until seed export is tightly controlled.
Untrusted websites can present themselves to the agent wallet and request signatures or transaction execution, increasing phishing and malicious-DApp risk.
The extension injects into every site and frame. Combined with the content/background bridge to the local signing server, this gives any visited DApp/page a path to request wallet operations unless separately restricted.
"host_permissions": ["<all_urls>"], ... "matches": ["<all_urls>"], ... "all_frames": true
Restrict extension matches to trusted DApp origins where possible, add an origin allowlist in the server, and display the requesting origin in a non-bypassable approval flow.
On non-macOS systems or Keychain failures, the wallet seed may appear in terminal logs, scrollback, recordings, or agent transcripts.
The documentation emphasizes secure macOS Keychain storage, but the implementation falls back to printing the seed phrase if Keychain storage fails. The registry metadata does not restrict the skill to macOS.
console.log('⚠️ Failed to store in Keychain. SAVE THIS SEED PHRASE:'); ... console.log(` ${mnemonic}`);Declare a macOS-only requirement or implement secure cross-platform storage. Avoid printing the mnemonic by default; require an explicit backup command with warnings.
The seed phrase may briefly appear in process arguments, and shell-based secret handling is easier to misuse than direct APIs.
Shell execution is used for macOS Keychain integration, which matches the stated purpose. The service/account names are constants and mnemonics are generated or validated, so this is not clear command injection, but it is still sensitive shell use.
import { execSync } from 'child_process'; ... execSync(`security add-generic-password -s "${SERVICE_NAME}" -a "${ACCOUNT_NAME}" -w "${mnemonic}"`)Use a native Keychain library or spawn commands with argument arrays and safer secret handling.
Future installs may resolve different dependency versions than the reviewed package.
The server installs wallet/crypto dependencies with floating semver ranges, and no server lockfile is listed in the manifest. This is common but important for a wallet because dependency changes affect key handling and signing.
"dependencies": { "@mysten/sui": "^1.21.1", "@mysten/bcs": "^1.3.0", "@scure/bip39": "^1.4.0" }Ship and verify a lockfile for the server, pin security-critical dependencies, and document the exact install provenance.