ClawHub

wallet-mcp

Security checks across malware telemetry and agentic risk

Overview

This wallet skill is coherent, but it lets an agent store private keys and move or sweep crypto funds without built-in confirmation safeguards.

Install only if you intentionally want an AI agent to manage crypto wallets. Use dedicated low-balance wallets, secure or relocate ~/.wallet-mcp/wallets.csv with restrictive permissions and disk encryption, avoid pasting private keys into chat or shell arguments, avoid exporting keys unless the backup is encrypted, and manually verify every send, sweep, account closure, key export, import, and group deletion before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (29)

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The documentation describes exports without private keys as 'safe to share' while the same feature set also supports exporting private keys, which can create a misleading mental model for users. In a wallet-management skill, that ambiguity increases the chance that users share or handle exports unsafely, especially when switching between examples or using natural-language tooling.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
This function returns the private_key field in all cases; when show_keys is false it only masks the string rather than removing it, and when show_keys is true it exposes the full secret. In a wallet-management context, even partial key material is highly sensitive and full key disclosure enables immediate wallet compromise if the caller is untrusted or output is logged, serialized, or shown to users.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The code stores wallet private keys in plaintext CSV on disk, making full wallet compromise possible if the file is read through local malware, backup exposure, multi-user access, logs, or accidental sharing. In wallet-management context this is especially dangerous because private keys are the secret of record and plaintext persistence directly enables theft of funds.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The helper writes to ~/.openclaw/workspace/TOOLS.md, which is outside the core wallet-management scope and changes how another agent environment behaves in future sessions. Even though this is exposed via an explicit CLI mode rather than hidden execution, modifying agent configuration introduces persistence and trust-boundary risks if users run it without understanding the side effects.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The example shows closing token accounts, which is a state-changing and potentially irreversible operation, without a caution that users should verify accounts and understand consequences first. In a wallet tool, examples are often copied directly, so omission of warnings can lead to accidental asset-management mistakes or loss of access to expected account state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes permanent group deletion with no strong warning about irreversibility or what wallet data is removed. Because this skill manages wallet inventories, users may destroy operational metadata or keys they still need, especially if they follow examples verbatim.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Sweep examples transfer remaining funds back to another address without emphasizing destination verification, chain correctness, and the irreversible nature of blockchain transfers. In a crypto-wallet context, sending to the wrong address or sweeping more than intended can directly cause permanent loss of funds.

Missing User Warnings

High
Confidence
98% confidence
Finding
The docs demonstrate exporting wallets with private keys for backup without a strong secret-handling warning, even though this creates a file containing material that fully controls funds. If that file is exposed through disk access, logs, backups, sync services, or user sharing mistakes, all associated assets can be stolen immediately.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Import examples omit that backup files may contain private keys or other sensitive wallet material, which can lead users to source files from insecure locations or handle them casually. In this skill's context, imported files may grant control over funds, so poor guidance increases the risk of secret exposure or unsafe operational practices.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide exposes natural-language commands that trigger wallet creation, fund transfers, sweeping, deletion, exports with private keys, and account-closing actions, but it does not require confirmations, transaction previews, allowlists, or other safeguards. In a chat-driven agent context, ambiguous prompts, prompt injection, account takeover, or user error could cause irreversible blockchain transfers or private key exposure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises tools that can generate wallets, send funds, sweep balances, delete groups, and export private-key-bearing wallet data, but it does not prominently warn about irreversible blockchain transactions, private key exposure risks, or the need for explicit confirmation before destructive actions. In an MCP context, where an AI agent may translate natural language into tool calls, this omission materially increases the risk of accidental fund loss, mass transfers, or deletion triggered by ambiguous prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill exposes high-risk wallet operations such as broadcasting funds to many wallets, sweeping balances, importing private keys, and deleting wallet groups without requiring explicit confirmation, approval gates, or strong safety guidance. In an agent setting, ambiguous or malicious user prompts could trigger irreversible fund movement or key exposure, especially because the skill strongly steers the agent to use the external wallet tool for all wallet operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill exposes fund-moving and potentially irreversible wallet operations such as multi-send, sweeping, and deletion without requiring an explicit confirmation step, dry-run mode, recipient verification, or user warning. In an agent setting, that makes accidental or prompt-induced loss of funds much more likely because the documented workflow normalizes direct execution of destructive financial actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill documents exporting and importing wallet sets including private keys, but provides only operational guidance and no strong safeguards around storage, encryption, access control, secure deletion, or the risks of creating plaintext key backups. Because this is a wallet-management skill, encouraging key export/import materially increases the chance of total asset compromise if files are exposed, mishandled, or placed in predictable filesystem locations.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly allows passing raw private keys on the command line, which can leak through chat logs, shell history, process listings, telemetry, and agent transcripts. Even though it says using labels is preferred, it does not present direct key entry as dangerous or prohibited, so users may expose the single secret that controls wallet funds.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
This command accepts a raw private key and persists it via storage helpers, creating long-lived sensitive credential material on disk. In an agent context, this is dangerous because secrets can be imported from prompts, logs, or automation flows and then retained or later exposed through other commands such as listing or export.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The export_wallets command can write wallet data to disk and supports include_keys, which risks dumping private keys into JSON or CSV files. In an agent setting this is especially risky because output paths may be insecure, files may be synced or exposed, and exports can become an easy exfiltration channel for wallet secrets.

Missing User Warnings

High
Confidence
97% confidence
Finding
The function accepts a raw private key and immediately signs and broadcasts a sweep transaction that transfers essentially the wallet's entire native-token balance to an arbitrary destination. In an agent/skill context, this is dangerous because a prompt, tool invocation, or indirect instruction can trigger irreversible exfiltration of funds with no built-in confirmation, policy gate, allowlist, or simulation step.

Missing User Warnings

High
Confidence
96% confidence
Finding
This function signs and sends a native-token transfer directly from a provided private key to any supplied address with no confirmation or secondary authorization. In the context of an agent skill, exposing a direct broadcast primitive materially increases the risk of accidental or malicious fund movement because blockchain transactions are irreversible once submitted.

Missing User Warnings

High
Confidence
98% confidence
Finding
The function persists generated wallet records including raw private keys to CSV, creating a plaintext secret store on disk. In a wallet-generation context this is especially dangerous because any local compromise, accidental file sharing, backup leak, or weak file permissions can immediately lead to theft of funds from all generated wallets.

Missing User Warnings

High
Confidence
88% confidence
Finding
This importer processes wallet private keys from JSON/CSV and persists them to local storage via save_wallets_batch, but there is no explicit confirmation, warning, encryption requirement, or safeguard around handling highly sensitive key material. In a wallet-management context, silently importing and storing private keys substantially increases the risk of accidental exposure through insecure local storage, backups, logs, or compromise of the host system.

Missing User Warnings

High
Confidence
89% confidence
Finding
This helper is explicitly designed to transfer nearly the entire wallet balance to an arbitrary destination, effectively enabling one-call draining of funds. In an agent skill context, that is more dangerous because a compromised prompt, tool misuse, or ambiguous user request could cause catastrophic irreversible asset loss without a secondary approval barrier.

Missing User Warnings

High
Confidence
92% confidence
Finding
The function can close token accounts and, when close_non_empty=True, may destroy access to non-empty token holdings depending on token-program semantics and account state handling. In an agent skill, exposing destructive account cleanup with a simple boolean flag and no confirmation, preview, or policy guard creates a significant risk of irreversible asset loss or denial of access triggered by misuse or malicious prompting.

Missing User Warnings

High
Confidence
96% confidence
Finding
The module silently creates and writes a persistent wallet file containing sensitive data, including private keys, without any explicit user-facing warning or consent flow. In a wallet tool, silent persistence materially increases the chance that users expose secrets unintentionally through disk backups, shared machines, source folders, or insecure home-directory permissions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
delete_group performs permanent deletion of wallet records with no runtime confirmation, dry-run mode, or secondary safety check. In an agent-driven environment, a mistaken invocation or prompt injection could irreversibly remove stored wallet data and associated private keys.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal