pol-agents-sdk-demo
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: demo-agents-sdk Version: 0.1.4 The skill bundle is classified as suspicious due to two significant supply chain and execution risks. First, the installation instruction `npm install -g github:0xPolygon/polygon-agent-kit` in `SKILL.md` and `QUICKSTART.md` directly fetches and executes code from a GitHub repository, which is a supply chain vulnerability if the repository is compromised. Second, the `wallet create` command, as described in `SKILL.md` and `QUICKSTART.md`, automatically downloads and executes the `cloudflared` binary from the internet to establish a Cloudflare Quick Tunnel. While intended for legitimate callback functionality, auto-downloading and executing an arbitrary binary without explicit user consent or robust integrity checks presents a critical arbitrary code execution vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent/CLI may hold wallet authority and can spend funds within the approved session limits.
The skill creates and uses wallet access keys, private keys, and spend-limited sessions that can authorize real token movement, while the registry metadata declares no primary credential, env vars, or config paths.
Outputs `accessKey` — needed for all wallet operations. Save `privateKey` for backup. ... `--native-limit <amt>` | Max POL the session can spend
Use a dedicated low-value wallet, set tight session limits, keep backups private, review/revoke sessions, and require the skill metadata to declare wallet credentials and storage paths.
A broadcast transaction can be irreversible and may transfer tokens or create on-chain records.
The CLI exposes high-impact operations such as send, swap, deposit, registration, and x402 payment, but the docs disclose a dry-run default and require an explicit broadcast flag for writes.
**Dry-run by default** — all write commands require `--broadcast` to execute
Preview transactions without --broadcast first and only broadcast after explicit user confirmation of recipient, amount, chain, and fees.
Unreviewed or changed upstream code would run locally with access to the wallet environment and stored sessions.
The artifact set contains no install spec or package code to review, and the documented install pulls a global executable from a GitHub source without a pinned commit or hash.
Install globally: `npm install -g github:0xPolygon/polygon-agent-kit`
Pin to a reviewed release or commit, verify the package source and integrity, and prefer an install spec that declares the dependency and required binaries.
A downloaded helper binary can execute locally and open network connectivity during the wallet approval flow.
The wallet creation flow can automatically download and run an additional tunnel executable that is not represented in the install metadata or reviewed artifacts.
No account or token required — `cloudflared` is auto-downloaded to `~/.polygon-agent/bin/` on first use.
Preinstall a verified cloudflared binary, check its source and version, or use the manual callback flow when automatic downloads/tunnels are not acceptable.
Wallet approval data and encrypted session material flow through third-party networking infrastructure during setup.
The wallet approval/session callback is routed through a public Cloudflare tunnel and hosted connector UI. The docs say the session is encrypted and the tunnel is temporary, but this is still a sensitive external data path.
The CLI automatically opens a **Cloudflare Quick Tunnel** (`*.trycloudflare.com`) and passes the callback URL to the connector UI. ... the CLI receives the session automatically.
Use only trusted connector URLs, verify the full approval URL before opening it, and choose the manual/local flow if third-party tunnels are not acceptable.