critical
suspicious.env_credential_access
- Location
- scripts/xmtp_support.mjs:11
- Finding
- Environment variable access combined with network send.
x402 Singularity Layer
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
A compromised provider response, misconfiguration, or mistaken agent action could make the wallet submit an unintended on-chain transaction or spend gas.
Why it was flagged
The registration flow signs and broadcasts transactions whose contract address, ABI, function name, and arguments come from the provider prepare API; the provided code does not show a local allowlist or confirmation gate before signing.
Skill content
prepare = post_json(f"{API_BASE}/agent/erc8004/prepare", prepare_body, headers=headers) ... contract_address=str(prepare["contractAddress"]), abi=prepare["abi"], function_name=str(prepare["functionName"]), args=list(prepare.get("args") or []) ... signed = w3.eth.account.sign_transaction(built_tx, private_key)Recommendation
Require explicit user review of network, contract, function, arguments, wallet, and fees before signing; use allowlisted contracts and a low-balance or ephemeral wallet.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If an agent invokes this on an untrusted or mistaken endpoint, the wallet could authorize a payment amount chosen by that endpoint's challenge.
Why it was flagged
After receiving a 402 challenge, the script creates and sends a payment header without an evident confirmation prompt or maximum-spend check in the provided file.
Skill content
print(f"Solana payment required: {solana_option.get('maxAmountRequired')} atomic units") ... x_payment = create_solana_xpayment_from_accept(solana_option) ... headers={"X-Payment": x_payment, "x-wallet-address": wallet_address, "Accept": "application/json"}Recommendation
Add a mandatory user approval step and configurable maximum spend before sending any X-Payment header or signed payment authorization.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Those credentials can authorize payments, signatures, endpoint administration, support access, or control-plane changes if mishandled.
Why it was flagged
The skill clearly discloses that some flows require high-privilege wallet or account credentials.
Skill content
Optional credentialed flows may use private keys, Solana signer keys, endpoint API keys, PATs, AWAL, or OWS depending on the exact runbook
Recommendation
Set only the credential needed for the current task, prefer scoped tokens or wallet tools over raw private keys, and avoid using a main wallet with significant funds.
NoteHigh Confidence
ASI06: Memory and Context PoisoningWhat this means
Anyone with access to the transcript or logs could see the webhook secret and potentially forge or verify webhook events.
Why it was flagged
The webhook signing secret is intentionally printed into the agent/user output so it can be saved, which may also place it into chat logs or agent context.
Skill content
print(f"\n⚠️ SAVE THIS SECRET — it will not be shown again:") ... print(f" {webhook['signing_secret']}\n")Recommendation
Move generated secrets directly into a password manager or secrets vault and avoid retaining them in shared chat, logs, or long-term agent memory.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
If OWS_BIN or PATH points to an untrusted executable, wallet operations could be intercepted or altered.
Why it was flagged
The skill executes local OWS wallet binaries, optionally selected through an environment variable. This is expected for wallet integration but depends on trusting the local binary path.
Skill content
explicit_bin = os.getenv("OWS_BIN", "").strip() ... return [explicit_bin, *args] ... proc = subprocess.run(build_ows_command(args), text=True, capture_output=True, timeout=timeout)Recommendation
Use a trusted, fully qualified wallet binary path and avoid running the skill in an environment with untrusted PATH or OWS_BIN settings.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Future installs may resolve to different package versions than the author tested.
Why it was flagged
Python dependencies are specified with lower bounds rather than pinned versions or hashes, allowing dependency drift over time.
Skill content
eth-account>=0.10.0 web3>=6.0.0 requests>=2.28.0
Recommendation
Install in an isolated virtual environment and consider pinning reviewed dependency versions before using wallet-signing flows.
NoteMedium Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Messages, support tokens, webhook events, or dashboard actions may pass through external services and affect account resources.
Why it was flagged
The skill discloses MCP control-plane access and support/XMTP messaging flows, which cross service and agent communication boundaries.
Skill content
optionally use Singularity MCP for owner-scoped dashboard and control-plane actions ... Support and buyer/seller messaging | support_auth.py, support_threads.py, xmtp_support.mjs
Recommendation
Use the minimum needed MCP/support permissions, verify destinations and identities, and avoid sending unrelated secrets through support or messaging channels.