ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill

v1.9.0

Multi-EVM agent wallet SDK with onchain identity (ERC-8004), payment rails (x402), cross-chain liquidity (Li.Fi bridging + DEX aggregation + DeFi Composer),...

1· 693·0 current·0 all-time
byGiacomo Barbieri@ijaack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (multi‑EVM agent wallet, bridging, DeFi, identity) align with what the SKILL.md asks for: node runtime, optional private key/mnemonic, keystore directory, and an npm install of package evalanche. Requested binaries/envs are those expected for a wallet SDK.
Instruction Scope
SKILL.md instructs autonomous key generation/management, keystore encryption, running an MCP/CLI server, and many high‑privilege operations (validators, subnets, staking, contract upgrades, cross‑chain bridges). Those actions match the described capabilities but are powerful — they require private keys and can perform transactions. The doc warns about HTTP mode but does not show full code; a missing detail: how the 32‑byte entropy file used for password derivation is persisted (if it is stored on disk, that weakens protection). There are also minor typos in examples (e.g., Avalanche.boot vs Evalanche.boot) suggesting the doc is not fully polished.
Install Mechanism
Install is an npm package (evalanche) that creates a binary (evalanche-mcp). npm installs are expected for Node CLIs but they will download and execute third‑party JS on your machine — moderate risk. The SKILL.md points to a GitHub repo which you should audit or verify before installing.
Credentials
Declared environment variables (AGENT_PRIVATE_KEY, AGENT_MNEMONIC, AGENT_ID, keystore dir, chain alias) are appropriate for a wallet SDK and are optional. The skill also declares a keystore config path. Nothing requests unrelated credentials or excessive env access.
Persistence & Privilege
always is false (good). The skill supports autonomous invocation (normal). It can run an HTTP MCP server on localhost:3402 if requested — the doc warns not to expose it publicly, but enabling HTTP or misconfiguring network access would increase risk. The skill will create a local keystore area (~/.evalanche/keys) which is expected for its purpose.
Assessment
This skill is coherent with a headless multi‑EVM wallet, but it will install an npm package that runs code locally and can manage private keys and perform transactions. Before installing: 1) verify the npm package and GitHub repo (maintainer, recent commits, issues) and prefer installing from a trusted registry. 2) Inspect the package code (or vendor bundle) to confirm keystore, entropy, and password handling — ensure the 32‑byte entropy file is not persistently stored unprotected. 3) Do not enable HTTP mode on non‑localhost or without strong auth. 4) Use platform secret storage (OpenClaw secrets) rather than raw env vars where possible, and consider giving the skill minimal funds/privileges for testing. 5) If you need higher assurance, run the package in an isolated environment (VM/container) and review logs and network activity during initial runs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c6gxpvkkk48zn7ws7k0gfvn84f854

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⛓️ Clawdis
Binsnode
Environment variables
AGENT_PRIVATE_KEYoptionalHex-encoded private key (EVM). Optional if using boot() or AGENT_MNEMONIC.
AGENT_MNEMONICoptionalBIP-39 mnemonic phrase (required for Avalanche multi-VM X/P-Chain). Optional if using boot() or AGENT_PRIVATE_KEY.
AGENT_IDoptionalERC-8004 agent token ID for identity resolution (Avalanche C-Chain only).
AGENT_KEYSTORE_DIRoptionalDirectory for encrypted keystore in boot() mode. Default: ~/.evalanche/keys
AVALANCHE_NETWORKoptionalEVM chain alias: 'ethereum', 'base', 'arbitrum', 'optimism', 'polygon', 'bsc', 'avalanche', 'fuji', etc. Default: avalanche.
EVM_CHAINoptionalAlias for AVALANCHE_NETWORK. EVM chain to connect to.

Install

Install evalanche (npm)
Bins: evalanche-mcp
npm i -g evalanche

Comments