ClawHub

AWP Wallet Skill

Security checks across malware telemetry and agentic risk

Overview

This is a functional crypto wallet skill, but it gives agents high-impact wallet, signing, transfer, and local secret-management authority with under-scoped safeguards.

Review carefully before installing. Use only with a dedicated low-value wallet, avoid importing an existing seed phrase, avoid sudo installation, inspect ~/.openclaw-wallet storage, configure recipient restrictions where possible, and require explicit human review for every transfer, approval, signature, batch operation, API-key persistence, and EIP-7702 action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill executes shell commands and reads environment variables but declares no permissions, creating a capability transparency gap. In an agent setting, this can bypass least-privilege expectations and lead operators to invoke a wallet-managing skill without understanding it can install software, create persistent state, and access local execution context.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior extends beyond the stated purpose into sensitive wallet lifecycle and persistence operations, including wallet initialization, session issuance, history/log handling, and advanced account upgrades. This mismatch is dangerous because users or orchestrators may authorize the skill for routine balance or transfer tasks without realizing it can alter long-lived wallet state or expose highly sensitive wallet-management surfaces.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The installer performs broader system-configuration changes than strictly necessary for wallet operations by globally registering a command and modifying shell startup files. In a wallet skill context, persistent environment changes increase trust and persistence footprint, which is risky because users may not expect an installer for a crypto tool to alter login-shell behavior.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
`getTxStatus` performs on-chain lookup without the `requireScope(sessionToken, "read")` gate used by other wallet read methods. In a wallet skill, this creates an inconsistent authorization boundary: any caller able to invoke this function can probe transaction hashes and infer wallet activity or confirmation state without the read permission expected elsewhere.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file exposes EIP-7702 account upgrade functionality that is materially more sensitive than the wallet actions advertised in the skill manifest. Hidden or undocumented authorization-changing behavior is dangerous because users and calling systems may invoke the skill under the assumption it only performs routine wallet operations, while this code can permanently delegate account control to a contract address, including an arbitrary user-supplied target.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The revocation path is also undocumented relative to the stated skill capabilities, which means the skill performs privileged account-delegation state changes outside its declared scope. Although revocation is generally protective rather than harmful, undocumented security-sensitive behavior erodes trust boundaries and can surprise orchestrators or users that did not authorize delegation-management actions.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The CLI exposes high-risk wallet administration functions such as wallet initialization, mnemonic import/export, password changes, and session lock/unlock that go beyond the stated skill purpose of balances, transfers, approvals, and signing. In an agent-skill context, this scope expansion increases the chance that an agent or integration can access or alter wallet secrets and authentication state in ways users would not reasonably expect from the manifest.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The CLI includes account-upgrade and smart-account lifecycle commands such as EIP-7702 upgrade/revoke and smart-account deployment, but these capabilities are not reflected in the skill description. These operations materially change account behavior and trust assumptions, so hiding them behind an incomplete manifest can lead to unauthorized or poorly understood account-state changes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger text is broad enough to match many generic wallet or crypto-related requests, increasing the chance the agent invokes this skill when the user did not intend on-chain actions or local wallet access. Because the skill can create wallets, unlock sessions, sign data, and send funds, accidental invocation materially raises risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs signing arbitrary messages and typed data without requiring a clear user-facing warning that signatures can authorize off-chain or on-chain actions, login sessions, token permits, or malicious approvals. In wallet contexts, users often cannot easily interpret typed data, so silent or routine signing can enable phishing, asset loss, or account takeover on connected services.

Missing User Warnings

High
Confidence
97% confidence
Finding
Approval operations are documented without an explicit confirmation or warning, even though token approvals can grant spend rights to third parties and are a common path to wallet draining. A user may interpret approval as harmless setup, but unlimited or high allowances to an attacker-controlled spender can result in subsequent unauthorized asset transfers.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill automatically creates a wallet if none exists, without a clear upfront warning that persistent cryptographic identity and local secret material may be initialized. In an agent environment, this can unexpectedly generate durable wallet state tied to the host or session, causing confusion, custody risk, and unintended use of a new wallet for future operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script appends PATH changes to persistent shell startup files without explicit prior warning or consent. This creates lasting system-state changes that affect future shells and can surprise users, especially for a wallet-related installer where persistence and command hijacking concerns are more sensitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer writes a supplied API key to disk in a profile .env file without an explicit pre-write notice that the credential will be persisted. Even with 0600 permissions, persisting secrets on disk increases exposure through backups, later local compromise, or accidental disclosure, which is especially relevant for a wallet tool handling sensitive blockchain operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This function performs irreversible on-chain transfers immediately once called, with no built-in confirmation, recipient verification prompt, transaction preview, or policy gate. In a wallet skill context, that is dangerous because upstream prompt injection, parsing mistakes, address substitution, chain confusion, or malicious tool invocation can directly cause loss of funds before the user has a chance to review the transaction details.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
If WALLET_PASSWORD is absent, the code silently generates a new wallet password and persists it to .wallet-password on disk, creating a long-lived secret without any explicit user awareness or consent. In a crypto wallet context, this secret protects the keystore, so undisclosed persistence materially increases the risk of wallet compromise by local attackers, backups, or other software with filesystem access.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code decrypts the wallet and writes raw private key material into a cache file, merely re-encrypted under a password that may itself be auto-stored locally. This creates an additional recoverable copy of the signing key on disk, expanding the attack surface and making theft of funds far easier if the host, wallet directory, or password file is compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Accepting a mnemonic seed phrase via a command-line argument is dangerous because command-line arguments are commonly exposed through shell history, process listings, logging, telemetry, and job control tooling. In a wallet skill, compromise of the mnemonic leads directly to total wallet takeover and irreversible loss of assets across all supported chains.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal