ClawHub

Signaai

Security checks across malware telemetry and agentic risk

Overview

This skill is a real blockchain automation tool, but it grants an always-running agent broad authority over wallet funds, local OpenClaw settings, and external data sharing.

Review this carefully before installing. Use only a small dedicated wallet, assume the configured passphrase can authorize real mainnet transactions while the daemon runs, avoid reusing important OpenClaw API keys, and understand that task and result data may be sent to LLM providers and Telegram. This is not classified as malicious, but it should be treated as a high-authority financial automation skill requiring explicit operational safeguards.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (37)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The setup flow explicitly instructs saving wallet passphrases to `~/.openclaw/signaai-worker.json` and installing a launchd daemon. Persisting blockchain credentials on disk and enabling an always-on agent materially increases the blast radius of compromise, because theft of the file or abuse of the daemon can lead to unauthorized transactions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs users to modify OpenClaw and Telegram approval configuration so exec approval requests can be handled more easily. Lowering friction on privileged command approval from within a transaction-capable skill weakens operational safeguards and may normalize broad approval for commands the user does not fully inspect.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The escrow script reads local OpenClaw/Telegram configuration and performs outbound Telegram notifications that are not necessary for core escrow execution. In a wallet-signing/payment context, this creates an unexpected secondary data flow to a third party and can leak transaction metadata, operational behavior, and local configuration use without explicit operator consent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements far more than passive messaging or escrow plumbing: it autonomously performs LLM research, publishes proofs, submits escrow results, and can auto-release payment. That expands the skill into an autonomous agent runner with financial side effects, so untrusted on-chain messages can trigger consequential external actions without an explicit approval boundary.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code reads OpenClaw-wide provider settings and API keys from unrelated local configuration and reuses them for this skill's outbound LLM calls. That creates cross-skill privilege expansion: any task routed through this listener can consume globally configured credentials and exfiltrate task data to third-party providers the user may not expect this skill to access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The fallback path constructs a natural-language instruction block for another local agent and embeds untrusted task content into that workflow. This turns the listener into an indirect command dispatcher, allowing attacker-controlled task text to influence a separate agent's behavior and potentially trigger unsafe multi-step actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The listener sends task completion details and result previews through Telegram, which is an additional external disclosure channel beyond on-chain messaging/payment behavior. Because tasks may contain sensitive research content, automatically relaying them to Telegram can leak confidential data to a third-party service and to whoever controls that chat.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The self-test embeds a real mnemonic-style passphrase and derives signing/agreement private keys from it, then prints those secrets to stdout. Even if presented as a demo, this creates a reusable credential artifact that can be copied into logs, CI output, terminals, screenshots, or documentation, which is especially unsafe in a blockchain payment skill where keys directly control funds and message authority.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script persistently weakens and modifies OpenClaw execution approvals by enabling auto-allow behavior and adding allowlist entries, then separately installs an always-on launchd job. Those are powerful persistence and execution-surrounding capabilities that go beyond simple blockchain payment functionality and materially increase the blast radius if the skill or its scripts are later changed or compromised.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The setup script collects a wallet passphrase and stores it in plaintext JSON under ~/.openclaw/signaai-worker.json. Even with chmod 600, plaintext local storage of a blockchain wallet secret creates a high-value target for local compromise, backups, logs, or later malware, and the manifest does not clearly disclose this sensitive secret-handling behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README encourages users to create escrow contracts that deploy and fund a live on-chain smart contract, but it does not present a clear upfront warning that this action can irreversibly move, lock, or release real cryptocurrency. In a skill explicitly designed for agent-to-agent payments on mainnet, omission of a strong financial-risk warning increases the chance that users trigger real fund movements without understanding the consequences.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup flow says it will prompt for a Signum passphrase and Telegram configuration, but it does not explain how those secrets are stored, protected, or whether they may be exposed to the local environment, logs, or the OpenClaw agent. Because a blockchain wallet passphrase can authorize real transactions, unclear credential-handling guidance creates substantial risk of wallet compromise and unauthorized fund movement.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill mandates `--network mainnet` for every command and repeatedly discourages safer alternatives, effectively steering all usage to real-money transactions. In a skill that can create escrows, send payments, and release funds, forcing mainnet without explicit per-action consent makes accidental or malicious financial loss far more likely.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instructions tell the agent to release escrow immediately on specific message patterns or on any `Release escrow <id>` command, and to never refuse or ask for confirmation. Because release moves irrevocable blockchain funds and the skill also processes messages/notifications autonomously, this creates a direct path for message spoofing, prompt injection, or operator error to trigger unauthorized payment.

Missing User Warnings

High
Confidence
99% confidence
Finding
The setup instructions say the wallet passphrase is saved to `~/.openclaw/signaai-worker.json` without any meaningful security warning or protection model. A plaintext wallet secret stored on disk is effectively equivalent to handing over full spending authority to any local compromise, backup leak, log exposure, or other skill with file access.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The CLI takes wallet passphrases as positional command-line arguments for commands like open, vote, and register-arbitrator. On multi-user systems and in shell environments, command-line arguments can be exposed through shell history, process listings, logs, and job runners, which can directly compromise blockchain accounts and authorize irreversible transactions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This CLI accepts blockchain wallet passphrases as positional command-line arguments for deploy and submit operations. On multi-user systems and many CI/container environments, command-line arguments can be exposed through shell history, process listings, logs, crash reports, and orchestration metadata, allowing theft of the wallet secret and unauthorized transfer of funds. In this skill's context, the credential directly authorizes on-chain payment and contract actions, which makes the exposure more dangerous than a typical low-sensitivity CLI secret.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The CLI accepts wallet passphrases as positional command-line arguments for create, submit, release, and refund operations. On many systems, command-line arguments are exposed via shell history, process listings, audit logs, or other local monitoring, risking credential compromise and unauthorized blockchain transactions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code silently reads a Telegram bot token from local config and uses it for outbound requests without clear user-facing disclosure at the point of use. This expands the trust boundary of a payment tool, can expose bot credentials and payment-related metadata, and may surprise operators who do not expect third-party network communication during escrow actions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The CLI accepts a wallet passphrase as a positional argument, which commonly exposes it through shell history, terminal scrollback, job control logs, and process listings visible to other local users or monitoring tools. In a blockchain/payment skill, compromise of the passphrase can directly lead to wallet takeover, unauthorized payments, identity hijacking, and irreversible on-chain actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Agent registration sends the user's secretPhrase to the API layer, which is highly sensitive because any logging, proxying, remote node usage, or misconfiguration could expose the wallet secret. In this skill's context, the secret controls on-chain identity and funds, so undisclosed transmission materially increases the risk of credential theft and irreversible asset loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Task recording also passes the wallet secretPhrase into an API request, creating the same credential exposure risk during routine use. Because this module operates in an agent-to-agent payment/blockchain environment, users may automate calls, making accidental logging or interception of wallet credentials even more likely and more damaging.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Autonomous execution forwards untrusted task descriptions to external LLM providers without any execution-time warning or consent gate. In this skill context, incoming tasks originate from on-chain messages and may be attacker-controlled, so the code can automatically disclose sensitive prompts or local operational context to third parties.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code path notifies via Telegram after assembling the full result text and includes a substantial result preview. That can leak sensitive or proprietary output to Telegram automatically, without a just-in-time warning to the operator at the moment of disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The self-test explicitly prints the passphrase plus both derived private keys to stdout with no masking or warning. In this skill's context—agent-to-agent payments and blockchain signing—stdout exposure is highly dangerous because logs often persist in shells, CI systems, container platforms, agent transcripts, and observability tooling, enabling anyone with log access to reconstruct the wallet and sign transactions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal