HashPack Wallet
PassAudited by ClawScan on May 10, 2026.
Overview
This is an instruction-only HashPack integration guide; it is purpose-aligned but involves wallet connection and transaction signing, which users should treat as financially sensitive.
This looks like a benign developer reference for HashPack integration. Before using it in a real app, make sure all signing flows require clear user approval, display the exact Hedera network and transaction details, and avoid mainnet transactions until the integration has been tested safely.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A web app built from these instructions could request wallet signatures for transactions that transfer assets or perform other blockchain actions.
The skill documents transaction-signing flows that can move funds. This is expected for a HashPack wallet integration, but it is high-impact if used without explicit user review.
Sign and submit transaction ... .addHbarTransfer(from, -10) ... .addHbarTransfer(to, 10); await hashpack.signTransaction(tx);
Use explicit wallet prompts, show network, recipient, amount, and fees before signing, and test on testnet before enabling mainnet actions.
The integrated app may learn the connected Hedera account ID and request wallet permissions.
The skill connects to a user wallet and obtains an account ID. This is normal for wallet login, but it delegates account identity to the web application.
const result = await hashpack.connect(); ... const accountId = result.accountId;
Only connect trusted apps, disclose what account data is read, and never ask users for seed phrases or private keys.