ClawSwarm Agent Wallet

Security checks across malware telemetry and agentic risk

Overview

This wallet skill has a coherent purpose, but its example exposes a private wallet key in console output and plaintext local storage.

Use only disposable or testnet wallets unless you replace the example key handling. Do not print private keys, do not commit agent-wallet.json, store keys in an encrypted wallet, OS keychain, or secret manager, and verify the onlyflies.buzz service before sending agent or wallet metadata.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

High

Confidence: 97% confidence
Finding: The example generates a private key and writes it in raw form to a local JSON file, which creates a durable plaintext secret on disk that can be exposed through backups, logs, source control mistakes, shared workspaces, or later compromise of the host. Although the text says 'Save securely!', it does not adequately warn against plaintext storage or provide a safer pattern, and this is especially risky in an agent-focused skill where implementers may copy-paste the example directly into automated environments.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal