MuHaven RWA Portfolio
ReviewAudited by ClawScan on May 14, 2026.
Overview
This wallet-linked portfolio skill is mostly transparent, but it needs review because it handles financial actions while some advertised sandbox protections are not enforced in its current host-native mode.
Install only if you trust MuHaven and understand the wallet/account implications. Prefer an enforced sandbox runtime or read-only mode, keep the broker and dependencies updated, and manually review every buy, claim, or pause confirmation before approving it.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe the skill cannot access files, spawn processes, or contact other network destinations, even though those limits are not enforced in the currently documented runtime mode.
This user-facing safety claim is contradicted by SECURITY.md, which says the current plain OpenClaw host_native mode makes the manifest permissions advisory only. For a wallet-linked financial skill, overstating containment can lead users to trust protections that are not actually enforced.
permissions.network.deny_default + permissions.filesystem.{read,write}: [] + permissions.process.spawn: [] install before the skill binary starts. Any egress / FS / spawn attempt is denied at the runtime.Use a runtime that enforces the permissions block, or treat the skill as a normal host-native Node program and install it only if you trust the package and broker.
The agent can prepare buy, yield-claim, and pause actions that affect the user's MuHaven account once the user approves them.
The skill exposes high-impact financial and account-policy tools. The artifacts describe confirmation controls, so this is purpose-aligned, but users should notice that these tools are available unless read-only mode is enabled.
muhaven.position.buy ... Stage a Subscription buy — emits intent for three-tier confirmation. NEVER auto-submits. ... muhaven.policy.pause ... Activate /pause kill-switch (uninstallPlugin). NEVER auto-submits — requires user confirmation.
Enable read-only mode if you only want portfolio visibility, and carefully review every buy, claim, or pause confirmation before approving.
Compromise or misconfiguration of the local broker could affect account-linked MuHaven actions.
The skill relies on broker-held wallet/session credentials and JWT authorization. This is expected for the stated service, but the credential boundary is sensitive and may be file-backed if the native keyring is unavailable.
MUHAVEN_BROKER_SESSION_KEY ... private half of a ZeroDev session key ... The key is held by muhaven-broker ... JWT must be present ... falls back to FileKeystore
Install and authenticate the broker from a trusted source, prefer OS keychain support where available, and avoid running the broker under shared or untrusted user accounts.
A vulnerability in a bundled dependency may remain present until this skill is republished and the user updates.
The package bundles a large dependency graph and explicitly notes that dependency fixes require a republished skill version. This is disclosed and common for self-contained packages, but users should track updates.
inline-bundles @muhaven/mcp + @modelcontextprotocol/sdk + viem + zod ... CVE-propagation lag ... no paid security-watch automation
Pin versions you have reviewed, monitor MuHaven releases, and update promptly when security releases are published.
Dynamic validator generation expands the runtime behavior that users must trust, especially without enforced sandboxing.
The static scan found dynamic code generation in the bundled distribution. In context this looks like AJV schema validator generation, not a hidden downloader or custom eval path, but it is still worth noting in host-native execution.
const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);Run the skill only from a trusted, signed package and prefer an enforced sandbox runtime for financial use.
If the broker endpoint is misconfigured or replaced, sensitive account requests could be routed to the wrong local service.
Sensitive wallet-adjacent operations are mediated through a separate local broker over IPC. This is disclosed and purpose-aligned, but the broker endpoint is part of the trust boundary.
The skill calls muhaven-broker over a Unix socket (POSIX) or named pipe (Windows). Path defaults to ~/.muhaven/broker.sock ... If the broker is unreachable, every tool call returns a structured connect_failed error
Leave the broker endpoint at the trusted per-user default unless you know why it must change, and ensure the socket or named pipe is not writable by other users.