Typhoon Starknet Account
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill fits its Starknet wallet purpose, but it can sign high-impact transactions with local private keys and create persistent background watchers, with some under-disclosed or misleading secret handling.
Install only if you intentionally want an agent-controlled Starknet wallet. Use a dedicated wallet with limited funds, review every transaction before approving, inspect or disable cron watchers, and do not provide Typhoon notes or wallet files unless you trust the skill and its dependencies.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly or without careful confirmation, the skill could spend, approve, swap, or otherwise affect assets controlled by the local Starknet account.
The swap helper reads a local wallet private key and uses it as the signer for on-chain transactions, giving the skill direct authority over wallet funds.
const privateKey = loadPrivateKeyByAccountAddress(accountAddress); ... const account = new Account({ provider, address: accountAddress, signer: privateKey });Only use with a dedicated low-balance wallet, confirm every transaction plan, and verify that private-key access is explicitly declared and limited to the intended account.
A user or agent may underestimate the risk and believe swaps do not touch local secret material.
The script comment says it does not access secrets, but the code loads the private key from local storage, which is a material mismatch in security disclosure.
This script receives account info via arguments - NO secrets access. ... const privateKey = loadPrivateKeyByAccountAddress(accountAddress);
Update the documentation to state that the script reads the local account private key, and require explicit user approval before any signing operation.
A mistaken or manipulated invocation could transfer tokens, approve spenders, or call arbitrary contract functions from the user's wallet.
The helper can sign and send a state-changing call to a user-supplied contract method with user-supplied arguments, without an internal confirmation gate in that script.
const privateKey = loadPrivateKeyByAccountAddress(input.accountAddress); ... const result = await contract.invoke(input.method, args, { waitForTransaction: waitForTx });Enforce confirmation, simulation, contract allowlists, and clear transaction previews inside the executable path, not only in higher-level instructions.
The skill could keep running background monitoring jobs after the original task, consuming resources or triggering later actions if configured that way.
The event watcher can install a cron job that runs every minute, and the duration is optional, so scheduled watchers may persist indefinitely.
"schedule": { // optional - creates cron job ... const cronEntry = `* * * * * ${shellPath} >> ${join(cronDir, `${jobName}.log`)} 2>&1`; ... this.durationMs = config.durationMs || null;Require explicit opt-in for cron setup, require a finite duration by default, and provide clear list/remove commands for all watcher jobs.
Watched contract activity may be sent to a third-party or local webhook endpoint chosen in the configuration.
The watcher can forward event data to a configured webhook URL, which is purpose-aligned but creates an external data boundary.
await fetch(webhookUrl, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data), signal: controller.signal });Use only trusted webhook URLs and avoid including sensitive off-chain context in event watcher payloads.
Future installs could resolve different dependency versions than the reviewer saw.
The skill depends on public npm packages with semver ranges; this is normal for the integration but not fully pinned in the provided artifacts.
"dependencies": { "@avnu/avnu-sdk": "^4.0.1", "starknet": "^9.2.1", "typhoon-sdk": "^1.1.13", "ws": "^8.19.0" }Use a lockfile or pinned versions and install only from trusted package registries.