Typhoon Starknet Account

Security checks across malware telemetry and agentic risk

Overview

This is a real Starknet wallet/DeFi skill, but it can read local private keys, sign broad on-chain transactions, and create persistent cron watchers, so it needs careful review before use.

Install only if you are comfortable giving the skill access to a Starknet wallet signer. Use a fresh low-value account, confirm every transaction after reviewing decoded calldata and asset impact, pin/audit npm dependencies, and check/remove any cron jobs created under ~/.openclaw/cron or your crontab.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI03: Identity and Privilege Abuse

High

What this means

If invoked incorrectly or by an untrusted prompt path, the agent could sign transactions that transfer tokens, approve spenders, or otherwise mutate the wallet's on-chain state.

Why it was flagged

The script reads a locally stored private key and uses it as a signer for a Starknet account, giving the skill direct authority over wallet transactions.

Skill content

const privateKey = readFileSync(keyPath, 'utf8').trim(); ... const account = new Account({ provider, address: input.accountAddress, signer: privateKey });

Recommendation

Use a dedicated low-balance wallet, protect ~/.openclaw/secrets/starknet, and require explicit user review for every transaction before signing.

ASI02: Tool Misuse and Exploitation

High

What this means

A mistaken parse or unsafe instruction could cause broad irreversible contract writes, including token transfers or approvals.

Why it was flagged

The script accepts a caller-supplied contract address, method, and args, then invokes that method with the wallet signer; the artifact does not show a hard allowlist or in-script confirmation gate.

Skill content

if (!input.contractAddress) fail('Missing "contractAddress".');
if (!input.method) fail('Missing "method".');
...
const result = await contract.invoke(input.method, args, { waitForTransaction: waitForTx });

Recommendation

Constrain allowed write methods/protocols, show decoded calldata and asset impact, and require a fresh explicit confirmation immediately before every broadcast.

ASI10: Rogue Agents

Medium

What this means

A watcher may continue running and sending events or triggering configured workflows after the user has left the conversation.

Why it was flagged

The watcher can modify the user's crontab to run every minute, while duration is optional, allowing background behavior to persist beyond the initiating session.

Skill content

"schedule": { // optional - creates cron job ... }
...
const cronEntry = `* * * * * ${shellPath} >> ${join(cronDir, `${jobName}.log`)} 2>&1`;
...
this.durationMs = config.durationMs || null;

Recommendation

Only enable scheduled watchers with a clear TTL, inspect ~/.openclaw/cron and crontab entries, and provide a documented stop/remove command.

ASI09: Human-Agent Trust Exploitation

Medium

What this means

Users may underestimate the script's access to wallet secrets and the resulting signing authority.

Why it was flagged

The file comment says there is no secrets access, but the code loads a private key from local storage.

Skill content

* This script receives account info via arguments - NO secrets access.
...
const privateKey = loadPrivateKeyByAccountAddress(accountAddress);

Recommendation

Correct the documentation to state that the script reads the local account private key for signing and explain exactly where keys are stored and how they are protected.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Compromised or unexpected dependency updates could affect transaction signing or network behavior.

Why it was flagged

The skill depends on external npm packages with version ranges; this is expected for a Starknet integration, but those dependencies participate in wallet/account flows.

Skill content

"dependencies": {
  "@andersmyrmel/vard": "^1.2.0",
  "@avnu/avnu-sdk": "^4.0.1",
  "starknet": "^9.2.1",
  "typhoon-sdk": "^1.1.13",
  "ws": "^8.19.0"
}

Recommendation

Install in an isolated environment, pin and audit dependency versions, and avoid using high-value wallets until dependencies are reviewed.

ASI07: Insecure Inter-Agent Communication

Low

What this means

Configured webhook recipients can receive watcher data; this appears user-directed and purpose-aligned, but the destination should be trusted.

Why it was flagged

The event watcher can send event data to a configured webhook URL.

Skill content

"webhookUrl": "http://localhost:3000/webhook", // optional
...
await fetch(webhookUrl, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data) });

Recommendation

Use only trusted webhook URLs and avoid including private wallet notes, keys, or sensitive local data in watcher payloads.

ASI05: Unexpected Code Execution

Low

What this means

Helper-script execution is expected, but unsafe script-path handling could broaden what code the agent runs.

Why it was flagged

The static scan shows child_process spawning of Node scripts. That is consistent with a script-dispatch architecture, but the full file is not included in the visible source excerpt.

Skill content

const child = spawn('node', [scriptPath, JSON.stringify(args)], {

Recommendation

Ensure resolve-smart.js only dispatches to bundled, reviewed scripts and never to user-supplied paths.