Back to skill

Security audit

Typhoon Starknet Account

Security checks across malware telemetry and agentic risk

Overview

This Starknet wallet skill mostly matches its purpose, but it needs review because it can read local wallet keys, sign mainnet transactions, and install persistent cron-based event watchers.

Install only if you intend to let the skill manage and use a Starknet signing account. Prefer a fresh low-value wallet, set a trusted RPC endpoint, inspect every transaction plan before confirming, avoid untrusted webhook URLs, and check ~/.openclaw/secrets/starknet plus your crontab after using scheduled watchers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (44)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares broad executable tooling (Bash, Write, network-capable scripts) and explicitly documents environment-variable use, RPC access, and shell execution, but the finding indicates these capabilities are not reflected in a proper permissions model. This matters because the skill handles wallet creation and contract interaction, so undeclared env/network/shell access increases the chance of secret exposure, unintended network calls, or unsafe execution without adequate review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest presents the skill primarily as anonymous wallet creation and Starknet interaction, but the documented behavior extends to generic arbitrary contract reads/writes, event watching, conditional execution, swaps, and local state modification. This mismatch is dangerous because reviewers or users may authorize a seemingly narrow wallet skill while actually granting a much broader automation and transaction surface, including autonomous execution paths and persistence.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The documentation states that conditional event handling creates cron jobs with TTL auto-cleanup, introducing persistence and scheduled execution that exceeds the stated wallet/account purpose. Scheduled jobs are risky in an agent context because they can continue monitoring and later trigger actions outside the immediate user session, increasing the chance of unauthorized or overlooked autonomous behavior.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file explicitly claims it performs 'NO secrets access' and that account data comes only from arguments, but it actually enumerates ~/.openclaw/secrets/starknet, reads account metadata, resolves a privateKeyPath, and loads the private key from disk. This mismatch is dangerous because it conceals privileged local secret access behind a seemingly harmless swap helper, increasing the chance an agent or reviewer will grant or invoke it without understanding that it can sign transactions using stored keys.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script has direct capability to browse a local secrets directory and read private key files based on an externally supplied accountAddress, then instantiate a signing account and execute a swap. In a skill marketed around wallet creation and Starknet interaction, this is sensitive because it expands the trust boundary from contract interaction into local secret material access, enabling unauthorized transaction signing if the skill is invoked in a broader agent environment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script persists the generated Starknet private key to a predictable location under the user's home directory, which creates durable secret material on disk beyond the immediate wallet-creation task. In an agent setting, local secret persistence increases exposure to later compromise, backup leakage, multi-tenant access, or accidental exfiltration by other tools, especially because the skill markets anonymity/privacy but does not foreground this storage behavior.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The hardcoded secrets directory enables filesystem secret-management behavior that is broader than simple wallet creation and creates a long-lived local secret repository. In an agent environment, this expands the skill's trust boundary and can surprise users or orchestrators that expected only network/account creation, making unauthorized reuse or discovery of wallet keys more likely.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script enumerates account metadata under ~/.openclaw/secrets/starknet and reads the corresponding private key file to sign transactions. That gives the skill direct access to locally stored signing material, which is sensitive capability expansion beyond the stated privacy-focused wallet creation description and increases the risk of unauthorized fund movement if an agent or caller can trigger this script with arbitrary parameters.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script introduces a specialized game-playing capability that is outside the declared skill purpose of anonymous Starknet wallet creation and generic contract interaction. In an agent setting, this kind of scope creep is dangerous because it expands the set of on-chain actions the skill can perform, increasing the chance of unauthorized or user-unexpected transactions and making review harder.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script locates an account by address and then reads the corresponding Starknet private key from the local secrets directory to sign transactions for a game flow. Even though it does not exfiltrate the key, this is a high-risk capability because unrelated skill functionality can trigger sensitive signing authority over any locally stored account, which is especially dangerous when bundled into a privacy-focused wallet skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This parser accepts a `register` object from its JSON input and persistently writes attacker-controlled protocol names and addresses into `protocols.json`. Because later runs trust that registry to resolve protocol addresses and fetch ABIs, an untrusted caller can poison local configuration and steer future contract interactions toward arbitrary contracts.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This file constructs persistent event watchers and scheduled conditional actions, which is materially broader than the declared purpose of anonymous wallet creation and contract interaction. In an agent context, background monitoring and automatic follow-on actions can create standing authority and surprise execution paths that users may not expect from the skill metadata.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The skill description suggests wallet creation, but this code instead loads existing local Starknet secrets from disk. That mismatch can mislead operators about what the skill will access, causing unintended exposure of pre-existing accounts and violating least surprise in a secrets-handling component.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The orchestrator acts as a general child-script execution framework, spawning scripts based on plan data and inheriting the runtime environment. In a security-sensitive wallet skill, this broad execution model expands the attack surface and can let unexpected functionality run with the same ambient privileges as the parent process.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script can create persistent cron jobs, write executable shell scripts, and maintain configuration/log files under the user's home directory. For a skill described as creating an anonymous Starknet wallet, persistence and scheduler installation are outside the expected trust boundary and create a durable execution foothold that could be abused or surprise the user.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exfiltrates observed blockchain event data to an arbitrary user-supplied webhook URL without any explicit privacy warning in the execution flow. Even if event data is public on-chain, forwarding it to external infrastructure can reveal user interests, monitored addresses, timing, and operational metadata to third parties.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code modifies the user's crontab and persists executable scripts/configuration to disk, establishing recurring execution. This is a classic persistence mechanism and is unjustified by the stated wallet/account purpose, increasing the chance of stealthy long-lived behavior if the skill or its inputs are later abused.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
The self-destruct logic scans cron-related files, rewrites the user's crontab, and deletes files based on derived names or content matches. Cleanup code with authority to enumerate and mutate persistence artifacts broadens the blast radius and risks deleting or altering unintended local resources, especially if state files are manipulated.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises anonymous wallet creation and contract write flows without prominently warning that blockchain transactions may be irreversible, financially risky, and only partially private. In a privacy-focused wallet skill, omission of such warnings is especially dangerous because users may wrongly infer strong anonymity guarantees or underestimate the risk of asset loss from writes and swaps.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Documenting fallback to a public RPC endpoint without a privacy warning is dangerous in a skill whose stated purpose is anonymity/privacy. Public RPC providers can observe IP-linked metadata, account addresses, contract interactions, and timing patterns, which can undermine the privacy expectations created by the skill description even if on-chain addresses are newly created.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes conditional watch-and-execute behavior that can react to events and execute transactions, but it does not clearly warn about autonomous on-chain actions and the associated financial and authorization risks. In practice, users may not realize they are enabling future transaction execution triggered by external events, which is substantially more dangerous than a one-time manual contract call.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The false assurance in the comment obscures that the script loads private keys from local storage and signs on-chain transactions. Even though the issue is documentary on its face, in security-sensitive agent skills misleading claims about secret access materially increase risk by defeating human review, policy gating, and least-privilege deployment decisions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes the private key and artifact metadata to disk without any user-facing warning, despite handling highly sensitive wallet credentials. Users may believe they are only creating an anonymous account via Typhoon, while in reality the agent leaves recoverable key material on the host that can undermine anonymity and fund security if the system is later accessed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs an on-chain withdrawal/deployment operation through Typhoon and then queries an RPC provider, but it does not present a user-facing disclosure or confirmation before initiating these external actions. In an agent context, undisclosed blockchain operations can spend funds, create irreversible transactions, reveal metadata, and violate user expectations about when network actions occur.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes directly to `protocols.json` during the normal parse flow with no confirmation, approval boundary, or provenance checks in this component. In an agent setting, that means a crafted upstream request can create persistent state changes that survive the current interaction and influence later transaction parsing and execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/resolve-smart.js:1193

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/watch-events-smart.js:117

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/avnu-swap.js:205

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/create-account.js:113

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/invoke-contract.js:86

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/loot-survivor.js:375