Skillv1.0.3

ClawScan security

Sui Agent Wallet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:34 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The code implements a working local Sui wallet and browser extension (consistent with the stated purpose) but exposes the wallet seed and an unauthenticated HTTP API with permissive CORS, which makes accidental or malicious exfiltration trivial — this design choice is disproportionate and risky.
Guidance: This skill implements a local Sui wallet and a Chrome extension that injects a wallet provider into web pages. Important risks and suggestions: - Major risk: the server exposes endpoints (SKILL.md shows curl http://localhost:3847/mnemonic) and sets CORS to '*'. If the /mnemonic endpoint (or other signing endpoints) is served without authentication and with permissive CORS, any webpage can fetch or trigger actions on the local wallet via JavaScript — this can lead to immediate secrets exfiltration or unauthorized signing. - Before installing, review server/index.ts to confirm whether /mnemonic or signing endpoints require explicit user approval, authentication tokens, or an allowlist. The presence of getMnemonic()/exportMnemonic() in wallet.ts and the SKILL.md curl example strongly indicate the seed can be obtained via HTTP. - If you want to try this code safely: - Do NOT use it on a machine with real/mainnet funds. Run it in a disposable VM or isolated development environment. - Consider removing or protecting any /mnemonic or export endpoints, and avoid setting Access-Control-Allow-Origin to '*' (instead restrict to extension origin or require user approval per request). - Limit extension host_permissions/matches to only the DApp origins you need rather than "<all_urls>". - Add an authenticated UI prompt or browser-native confirmation before returning the mnemonic or signing any transaction (do not rely solely on the agent or an unauthenticated HTTP call). - If you need an outright safe verdict: treat this package as suspicious until the server is changed to require strong per-request user confirmation and the CORS/HTTP exposure is hardened. If you want, I can: (1) point to the exact lines where /mnemonic and CORS are handled in index.ts, (2) suggest code changes to require a local-only token or an approval flow, or (3) produce a safer configuration patch (restrict CORS, remove mnemonic endpoint, require ephemeral auth tokens) you can apply.
Findings: [base64-block] expected: Base64 blobs are present (data URL icon in inject.js and base64 PNG fallback in install.sh). These are benign for a browser extension that embeds an icon or placeholder image.

Review Dimensions

Purpose & Capability: noteThe files (extension + local server + wallet/keychain logic) match the name 'Sui Agent Wallet' and implement expected features (seed generation, BIP39 derivation, signing, Wallet Standard injection). However, the extension manifest grants broad host_permissions ("<all_urls>") and the server exposes HTTP endpoints (including one that returns the mnemonic per SKILL.md). Those pieces are functionally related to a browser wallet but the combination (open local HTTP API + global content script permissions) expands the attack surface beyond what most wallets expose by default.
Instruction Scope: concernSKILL.md explicitly instructs users that the server stores the seed in macOS Keychain and gives a curl example to GET /mnemonic. The server sets CORS Access-Control-Allow-Origin: '*', meaning a remote webpage or any local page can fetch wallet endpoints from JS. Exposing an endpoint that returns the raw mnemonic (no auth shown) and allowing cross-origin requests is a serious scope breach: web pages could read the seed or trigger signing unless additional authorization is enforced by the server (none is visible).
Install Mechanism: okNo remote download of arbitrary code is used by the registry metadata. Installation uses a local install.sh that calls bun install (dependencies are standard NPM packages listed in package.json). This is a typical local install setup; nothing in the install process pulls from an untrusted URL or runs an opaque binary.
Credentials: okThe skill declares no required environment variables or credentials. It uses macOS Keychain via the 'security' CLI for storing the seed, which is reasonable for secure storage on macOS, but will fail on non-macOS systems. No unrelated cloud credentials are requested.
Persistence & Privilege: okThe skill is not marked always:true and does not request elevated or cross-skill configuration. It runs as a local server + extension pair and does not modify other skills or global agent settings. Autonomous invocation by the agent is possible (default), but that alone is expected.