ClawHub

Bitget Wallet

Security checks across malware telemetry and agentic risk

Overview

This skill is a real crypto swap tool with private-key signing paths and transaction submission, but its trust boundaries and disclosures are inconsistent enough to require careful review before use.

Install only if you intend to use a high-trust crypto trading skill, not just a market-data skill. Do not provide seed phrases or unrestricted wallet private keys; prefer an external wallet or hardware signer that shows the exact transaction before approval. Treat the built-in signing helper and any API-provided-hash signing flow as high risk, and review updates through the normal platform process rather than allowing runtime self-replacement from a moving branch.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documentation goes beyond API data retrieval and instructs the agent to perform end-to-end transaction execution, including signing and submitting swaps. This expands the skill from informational use into direct custody-adjacent wallet operations, materially increasing the blast radius of misuse, prompt injection, or user misunderstanding. In a crypto context, that can directly lead to irreversible asset loss.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill includes operational guidance for retrieving wallet private keys from 1Password via subprocess and using them for signing. Any skill that teaches or facilitates secret extraction for downstream signing greatly increases the chance of credential misuse, exfiltration, or unintended fund movement. This is especially dangerous because private keys grant direct control over assets and transactions are irreversible.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill instructs the agent to self-update by fetching remote repository content and replacing local files. That creates a supply-chain risk path where unreviewed remote changes can alter behavior, permissions, endpoints, or secret handling after initial approval. Even though the text mentions post-upgrade checks, automatic replacement of local skill files is unsafe in adversarial environments.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The document first says signing happens outside the skill, then later instructs the agent itself to sign orders and transactions. This contradiction obscures the trust boundary and can cause operators to underestimate the skill's custody and execution capabilities. In wallet workflows, unclear boundaries around signing are dangerous because they affect whether the agent can directly move funds.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill description presents a market-data, token-info, quote, and security-check tool, but the code also supports order creation, order submission, and raw transaction broadcast. That materially expands the skill from informational use into transaction execution, creating a risk that an agent or user invokes fund-moving operations without clear consent boundaries or least-privilege design.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This helper extends a market-data and quote skill into direct wallet-signing functionality, including signing API-provided hashes and raw transactions with a user private key. That materially increases the trust boundary: if the API response or surrounding workflow is compromised, the script can authorize arbitrary actions on-chain rather than merely retrieving data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code accepts a raw private key and uses it to sign either opaque hashes via unsafe_sign_hash or transactions assembled from API-supplied fields. In the context of a skill advertised for market data, quotes, and security audits, this is especially dangerous because users may not expect custody-sensitive behavior, and a malicious or compromised API response could trigger signatures that drain funds or grant token approvals.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill transmits wallet addresses, order identifiers, and signed transaction payloads to a third-party API without any built-in disclosure or confirmation step. In an agent context, this is sensitive operational data; users may not realize that invoking quote/order/send commands can reveal wallet metadata or submit already-signed transactions externally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Passing the private key as a command-line argument exposes it to shell history, process listings, CI logs, and crash diagnostics, which can leak the wallet secret to other local users or logging systems. Because this script is intended to sign blockchain operations, such leakage can immediately lead to full compromise of the associated wallet.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal