ClawHub

Relay Link Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate crypto bridge helper, but it can use a raw wallet private key to sign live transactions and does not give enough safeguards for that level of financial authority.

Install only if you are comfortable giving this skill access to a raw EVM private key and allowing it to prepare and broadcast bridge transactions after a yes prompt. Use a dedicated low-balance wallet, verify the recipient, chain, amount, fees, and transaction target independently before confirming, and avoid using a primary wallet or long-lived high-value key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes local shell scripts and explicitly depends on network-capable binaries, yet it declares no permissions. In a wallet-bridging skill that can sign and submit blockchain transactions using configured private-key-based credentials, this mismatch hides sensitive capabilities from users and the host platform, increasing the chance of unintended or opaque fund-moving actions.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The script silently reads the user's local EVM address from ~/.openclaw/config.env and uses it to query transaction history, which expands data access beyond the explicit user-supplied arguments. While a wallet address is not a secret like a private key, it is sensitive metadata and its use is not clearly disclosed by the skill description, creating an unnecessary privacy exposure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script automatically reads a private key and wallet addresses from a global file in the user's home directory, creating implicit secret access without per-use consent. In an agent skill context, this is dangerous because invoking the skill can immediately gain signing capability over the user's wallet if that file exists.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
Although the comment suggests this is more secure than a CLI argument, exporting the private key into the environment still exposes it to child processes and potentially process inspection, logs, or crash reports. This weakens key isolation at the exact point the script performs a live transaction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes automated signing and sending of bridge transactions using a private key loaded from a local config file, but it does not warn users about irreversible fund transfers, bridge risk, or the sensitivity of hot private keys. In a skill designed for autonomous execution of cross-chain transfers, this omission materially increases the chance of unsafe use, accidental loss of funds, or over-trusting the skill with signing authority.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase "tokens" is so broad that ordinary conversation about crypto assets could accidentally invoke the skill. In this context, the skill is not merely informational—it can lead users into bridge/swap workflows tied to wallet credentials—so accidental activation is more dangerous than it would be for a read-only utility.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script loads the private key silently from local storage with no up-front disclosure to the user that invoking the skill may access wallet credentials. In a bridge automation skill, hidden credential use materially increases the risk of unintended signing authority and user surprise.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends wallet address, chain IDs, recipient, asset identifiers, and amount to a third-party API before any user confirmation prompt. Even if needed for quoting, this is still sensitive transaction metadata disclosure to a remote service without explicit prior consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal