ClawHub
Back to skill
v0.15.0

AWP Wallet Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:56 AM.

Analysis

This is a coherent crypto wallet skill, but it gives an agent live authority to unlock, sign, approve, and transfer wallet funds, so it needs careful review before use.

GuidanceInstall only if you intentionally want an AI agent to manage an EVM wallet. Prefer a new low-value wallet, do not import a high-value seed phrase, use read-only or short-lived sessions when possible, manually confirm every approval/signature/batch transfer, lock the wallet after use, and verify the npm/GitHub source before installing.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
awp-wallet approve --token $T --asset usdc --spender 0xRouter --amount 1000 --chain base
...
awp-wallet sign-message --token $T --message "Hello World"
...
awp-wallet batch --token $T --chain base

The skill documents token approvals, message signing, and batch transfers, all of which can have financial or account-control impact, but these sections do not include the explicit confirmation template shown for ordinary sends.

User impactA mistaken or ambiguous prompt could lead to approving a spender, signing a dangerous message, or sending multiple transfers without the user seeing the full risk details first.
RecommendationBefore approvals, signatures, batch transfers, or account upgrades, require a clear confirmation that includes chain, spender/recipient, amount, token contract, message/data, and expected effect.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusNote
install.sh
git clone "$REPO_URL" "$INSTALL_DIR"
...
npm install --no-audit --no-fund
...
elif sudo npm link 2>/dev/null && command -v awp-wallet &>/dev/null; then
...
printf '\n# Added by awp-wallet installer\n%s\n' "$RC_LINE" >> "$RC_FILE"

The installer can fetch code, install npm dependencies, register a global command, potentially invoke sudo for npm linking, and modify shell startup files.

User impactInstallation changes the local development environment and may trust remote package/source updates.
RecommendationInstall only from a trusted package or reviewed commit, avoid sudo-based linking if possible, and review shell profile changes after installation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
No password needed — encryption is auto-managed.
...
TOKEN=$(awp-wallet unlock --duration 3600 | jq -r '.sessionToken')

The documented workflow says the wallet can be unlocked without a user password and obtains a session token for on-chain operations; for a wallet, that token represents authority over funds and signatures.

User impactAn agent or local process with access to the CLI workflow may be able to operate the wallet without a separate password prompt.
RecommendationUse a dedicated low-value wallet, avoid importing a high-value seed phrase, keep sessions short, and require explicit user approval before any transaction or signature.
Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
scripts/wallet-cli.js
.option("--duration <seconds>", "Session duration in seconds", "3600")
  .option("--scope <scope>", "Session scope (read|transfer|full)", "full")

The unlock command defaults to a one-hour session with full scope, which is broader than needed for read-only actions such as balance checks.

User impactIf the agent is misdirected during the unlocked window, the same token may allow transfers, approvals, or signatures rather than only the user’s intended read operation.
RecommendationUse narrower scopes such as read for balances, shorter durations, and run the lock command promptly after each task.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
scripts/lib/bundler.js
throw new Error("No bundler API key set. Export PIMLICO_API_KEY, ALCHEMY_API_KEY, or STACKUP_API_KEY.")
...
createBundlerClient({ chain, transport: bundlerTransport }),
createPaymasterClient({ chain, transport: fallback(paymasterTransports) })

Gasless transactions are routed through external bundler/paymaster providers using provider API keys, which is expected for ERC-4337-style gasless operation.

User impactThose providers may receive transaction or user-operation metadata associated with the wallet and API key.
RecommendationUse trusted providers, understand their privacy terms, and disable gasless mode if you do not want transaction metadata sent to third-party bundler/paymaster services.