ClawHub

Bitget Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a real Bitget Wallet integration, but it can handle wallet private keys and submit signed crypto transactions, so users should review it carefully before installing.

Install only if you intend to use it for active crypto swap workflows and can manually review every transaction. Do not paste wallet private keys into the agent or pass them on the command line; prefer an external wallet, hardware signer, or dedicated signer that never reveals the key. Pin and review updates before replacing the skill, and require explicit confirmation before any signing, order-submit, or swap-send step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This section directs the agent to retrieve wallet private keys and perform local transaction/hash signing, materially expanding the skill from data retrieval into direct custody and fund-execution behavior. In an agent environment, any prompt injection, compromise, or misuse of this skill could result in irreversible asset theft or unauthorized swaps.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation recommends subprocess-based retrieval of secrets from an external 1Password helper script, which creates a generic secret-extraction path available to the skill runtime. Even if intended for legitimate signing, this pattern broadens the attack surface and makes secret misuse easier through instruction hijacking, logging mistakes, or helper-script abuse.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation substantially expands the skill from market-data usage into full transaction execution, approval handling, gas-mode selection, signing, and broadcasting. This scope creep is security-relevant because governance, sandboxing, and user expectations may be calibrated for informational API use rather than autonomous financial operations.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill description emphasizes market data, quotes, rankings, and security checks, but the implementation also supports creating swap orders and preparing/broadcasting transactions. That expansion from read-only data access into transaction execution materially increases risk, because an agent using this skill could facilitate asset-moving actions the user did not expect from the stated capability surface.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code can submit user-signed transactions and broadcast them to remote endpoints, which is a high-risk operation not justified by a skill framed around quotes and market/security data. Even if signatures are supplied by the user, forwarding signed transactions can directly cause irreversible on-chain actions and asset loss if the agent is misused or the user is misled.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The module docstring presents the file as a simple API client with demo credentials, but the code contains active swap, order creation, and broadcast functionality. This mismatch increases the chance that reviewers, integrators, or agent orchestrators will underestimate the tool's ability to participate in asset-moving workflows.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
This helper does more than read wallet or market data: it constructs and signs blockchain transactions and also signs arbitrary API-provided hashes. In the stated skill context, that is materially more dangerous because a supposedly data-oriented integration can directly authorize asset-moving operations, and the code does not independently validate transaction contents or signing intent before producing valid signatures.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script requires a raw private key and uses it locally to sign transactions or hashes, which creates a severe secret-handling risk. In a skill advertised for wallet API interactions and market/security data, asking users to provide private keys is especially dangerous because compromise of that key enables full control of wallet assets, and the code offers no isolation, hardware-wallet integration, or permission boundaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Swap and order commands send wallet addresses, order identifiers, and signed transaction payloads to a third-party API without any explicit warning, consent prompt, or minimization controls. In this skill context, that is more dangerous because users may reasonably expect passive market-data retrieval, not off-host transmission of sensitive transaction artifacts.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The usage examples instruct users to pass the private key directly on the command line, which commonly exposes secrets through shell history, process listings, audit logs, CI logs, and terminal scrollback. Even if the key is only used locally, this handling method substantially increases the chance of accidental credential disclosure and downstream wallet compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal