Typhoon Starknet Account

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If invoked incorrectly or without careful confirmation, the skill could spend, approve, swap, or otherwise affect assets controlled by the local Starknet account.

Why it was flagged

The swap helper reads a local wallet private key and uses it as the signer for on-chain transactions, giving the skill direct authority over wallet funds.

Skill content

const privateKey = loadPrivateKeyByAccountAddress(accountAddress); ... const account = new Account({ provider, address: accountAddress, signer: privateKey });

Recommendation

Only use with a dedicated low-balance wallet, confirm every transaction plan, and verify that private-key access is explicitly declared and limited to the intended account.

ConcernHigh Confidence

ASI09: Human-Agent Trust Exploitation

What this means

A user or agent may underestimate the risk and believe swaps do not touch local secret material.

Why it was flagged

The script comment says it does not access secrets, but the code loads the private key from local storage, which is a material mismatch in security disclosure.

Skill content

This script receives account info via arguments - NO secrets access. ... const privateKey = loadPrivateKeyByAccountAddress(accountAddress);

Recommendation

Update the documentation to state that the script reads the local account private key, and require explicit user approval before any signing operation.

ConcernHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

A mistaken or manipulated invocation could transfer tokens, approve spenders, or call arbitrary contract functions from the user's wallet.

Why it was flagged

The helper can sign and send a state-changing call to a user-supplied contract method with user-supplied arguments, without an internal confirmation gate in that script.

Skill content

const privateKey = loadPrivateKeyByAccountAddress(input.accountAddress); ... const result = await contract.invoke(input.method, args, { waitForTransaction: waitForTx });

Recommendation

Enforce confirmation, simulation, contract allowlists, and clear transaction previews inside the executable path, not only in higher-level instructions.

ConcernMedium Confidence

ASI10: Rogue Agents

What this means

The skill could keep running background monitoring jobs after the original task, consuming resources or triggering later actions if configured that way.

Why it was flagged

The event watcher can install a cron job that runs every minute, and the duration is optional, so scheduled watchers may persist indefinitely.

Skill content

"schedule": { // optional - creates cron job ... const cronEntry = `* * * * * ${shellPath} >> ${join(cronDir, `${jobName}.log`)} 2>&1`; ... this.durationMs = config.durationMs || null;

Recommendation

Require explicit opt-in for cron setup, require a finite duration by default, and provide clear list/remove commands for all watcher jobs.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Watched contract activity may be sent to a third-party or local webhook endpoint chosen in the configuration.

Why it was flagged

The watcher can forward event data to a configured webhook URL, which is purpose-aligned but creates an external data boundary.

Skill content

await fetch(webhookUrl, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data), signal: controller.signal });

Recommendation

Use only trusted webhook URLs and avoid including sensitive off-chain context in event watcher payloads.

NoteHigh Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Future installs could resolve different dependency versions than the reviewer saw.

Why it was flagged

The skill depends on public npm packages with semver ranges; this is normal for the integration but not fully pinned in the provided artifacts.

Skill content

"dependencies": { "@avnu/avnu-sdk": "^4.0.1", "starknet": "^9.2.1", "typhoon-sdk": "^1.1.13", "ws": "^8.19.0" }

Recommendation

Use a lockfile or pinned versions and install only from trusted package registries.

Findings (6)

critical

suspicious.dangerous_exec

Location: scripts/resolve-smart.js:1193
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: scripts/watch-events-smart.js:117
Finding: Shell command execution detected (child_process).

critical

suspicious.exposed_secret_literal

Location: scripts/avnu-swap.js:205
Finding: File appears to expose a hardcoded API secret or token.

critical

suspicious.exposed_secret_literal

Location: scripts/create-account.js:113
Finding: File appears to expose a hardcoded API secret or token.

critical

suspicious.exposed_secret_literal

Location: scripts/invoke-contract.js:86
Finding: File appears to expose a hardcoded API secret or token.

critical

suspicious.exposed_secret_literal

Location: scripts/loot-survivor.js:375
Finding: File appears to expose a hardcoded API secret or token.