Thetanuts Openclaw

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real crypto trading skill, but it needs review because it stores wallet seeds in plaintext, can broadcast wallet transactions, and includes an unsafe remote updater.

Install only with a fresh, low-value dedicated wallet. Do not import a primary seed. Treat ~/.openclaw/wdk-mcp/.env as a full wallet secret, avoid sharing logs that may contain seed phrases or balances, manually inspect any update before running it, and review every approval, signature, and transaction before broadcast because actions on mainnet can cause irreversible financial loss.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence

Findings (21)

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This is a real integrity flaw: the script constructs every reported ticker with the hardcoded underlying 'ETH', even when the user requested BTC. In a trading skill, mislabeling market data can mislead users or downstream automation into acting on the wrong instrument, causing incorrect fills, bad RFQs, or financial loss through operator error.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: This is a true logic flaw: although the script requires a `--since` timestamp and claims to verify that a position was created after RFQ submission, it never uses that timestamp when deciding whether a fill occurred. Any pre-existing position with the same ticker will be treated as a successful fill, which can mislead automation, post-trade monitoring, or users into believing an RFQ was filled when it was not.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script fetches a manifest from a remote URL, allows that URL to be overridden via an environment variable, then downloads and executes a shell script from the manifest's updateUrl with `bash`. This is an arbitrary code execution path with no signature verification, pinning, checksum validation, or trust boundary enforcement, which is especially dangerous in a wallet/trading skill that may run in environments containing secrets and signing material.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The script can run `npm ci`, `npm update`, and kill runtime processes in `~/.openclaw/wdk-mcp`, which affects external runtime components beyond the stated Thetanuts trading functionality. This expands the skill's operational scope and can introduce supply-chain risk, break unrelated components, or alter the execution environment unexpectedly.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The script claims wallet secrets are never modified and sets `PROTECT_ENV=1`, but the downloaded update script is fully unconstrained and can ignore that variable, read or overwrite `.env`, or exfiltrate secrets. This creates a misleading safety guarantee that may cause operators to trust a mechanism that can in fact access sensitive wallet material.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script generates a fresh BIP-39 mnemonic and persists it in plaintext to a global ~/.openclaw/wdk-mcp/.env file. A wallet seed is a highly sensitive secret that grants full control over funds, so storing it in a broadly readable config file materially increases the risk of credential theft by local malware, backups, logs, or accidental disclosure.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The script explicitly locates and parses a wallet-related .env file in the user's home directory, then later uses WDK_SEED to derive wallet addresses. Reading a mnemonic seed from disk is credential access behavior, and in an agent skill context this expands capability from trading actions into secret extraction and wallet enumeration, which is dangerous even if the immediate output does not print the seed.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation instructs users to run trading commands that read `WDK_SEED` from `.env`, but it provides no warning about treating that seed as a high-value secret, avoiding logging, or preventing accidental disclosure via shell history, files, or agent output. In a crypto trading skill, a leaked seed can directly compromise wallets and funds, so normalizing unsafe secret handling increases real operational risk.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Automatically displaying the user’s wallet address and balances without an upfront privacy warning can expose sensitive financial information in chat logs, screenshots, or shared agent transcripts. In a trading skill, wallet identity and asset balances materially increase phishing, targeting, and doxxing risk.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: Mandating external market-news lookups before every strategy recommendation without a user-facing disclosure means the agent may contact third-party services unexpectedly during sensitive financial interactions. Even if no seed is sent, timing, assets of interest, and trading intent can leak externally and create unnecessary privacy exposure.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script outputs calldata targeting Base mainnet by default and explicitly tells the user the transaction is ready to be signed and broadcast. In a wallet-integrated trading skill, that messaging can normalize blind signing of live on-chain RFQ submissions without clearly warning about mainnet execution, real funds, chain verification, or independent review of the destination and calldata.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The script prints the full seed phrase to stdout in structured JSON, which can be captured by terminal history, shell logging, CI logs, process supervisors, or calling applications. In an agent or automation context, this is especially dangerous because secrets may be forwarded, stored, or exposed outside the user's awareness, allowing total wallet compromise.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script performs two unattended `npm install` operations that fetch and execute third-party package install logic while also writing files under both the project directory and `~/.openclaw/wdk-mcp`. In an onboarding context for a wallet/trading skill, this creates meaningful supply-chain and system-modification risk because a user may run it without realizing it will install network-fetched code and alter their environment.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The updater downloads and immediately executes remote code without any interactive confirmation or prominent warning that code from the network will run locally. That makes accidental or automated execution far riskier, particularly for a finance-related skill where compromise could affect wallets, API keys, or trading behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The script reads a wallet seed from a local .env file and uses it to derive accounts automatically in order to query balances. Even though it does not print or transmit the seed directly, accessing a high-value secret during a routine balance check increases credential exposure risk and normalizes secret access without an explicit user consent boundary, which is dangerous in an agent/skill context.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The script writes a newly generated seed phrase to disk immediately, without an explicit opt-in, confirmation prompt, or pre-write warning that a highly sensitive wallet secret will be persisted. Silent persistence of recovery material can expose the seed to other local processes, misconfigured permissions, backup systems, or users who did not expect the action.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code reads WDK_SEED from a local .env file without any user-facing prompt, consent flow, or warning that a highly sensitive mnemonic is being accessed. In an agent environment, silent access to wallet seeds materially increases risk because compromised or modified code could exfiltrate the secret or use it to control funds.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script persists a BIP-39 seed phrase in plaintext to ~/.openclaw/wdk-mcp/.env, which creates a durable credential at rest that can be recovered by any local process, backup system, shell tooling, or accidental file disclosure. Although importing a wallet requires handling the mnemonic, storing the full seed unencrypted in a conventional env file materially increases compromise risk because this single secret grants complete control of associated wallets.

Credential Access

High

Category: Privilege Escalation
Content: // Generate new seed phrase (128 bits = 12 words) const seedPhrase = generateMnemonic(wordlist, 128); // Write to .env writeEnv(ENV_FILE, { WDK_SEED: seedPhrase, WDK_ACTIVE_FAMILY: 'evm',
Confidence: 98% confidence
Finding: .env

Credential Access

High

Category: Privilege Escalation
Content: }; } // Write to .env writeEnv(ENV_FILE, { WDK_SEED: seedPhrase, WDK_ACTIVE_FAMILY: 'evm',
Confidence: 97% confidence
Finding: .env

Session Persistence

Medium

Category: Rogue Agent
Content: ## Features - **Wallet Management**: Create and import EVM/Solana wallets using Tether WDK - **Balance Queries**: Check native (ETH/SOL) and token balances (USDC, WETH, cbBTC) - **Transaction Execution**: Approve tokens and send transactions directly - **Options Trading**: Orderbook fills, RFQ lifecycle, MM pricing, multi-strike structures (spreads, butterflies, condors)
Confidence: 88% confidence
Finding: Create and import EVM/Solana wallets using Tether WDK - **Balance Queries**: Check native (ETH/SOL) and token balances (USDC, WETH, cbBTC) - **Transaction Execution**: Approve tokens and send transact

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal