Back to skill

Security audit

AWP Skill

Security checks across malware telemetry and agentic risk

Overview

This AWP skill is largely coherent for crypto wallet and protocol work, but it gives agents high-impact transaction authority through an under-scoped raw call bridge and an unpinned remote wallet installer.

Install only if you trust the AWP publisher and are comfortable with a skill that can sign and submit AWP protocol transactions. Review any awp-wallet installation command before running it, prefer a pinned or manually verified wallet release, keep minimal funds in the agent wallet, and require clear confirmation before any relay, signature, staking, allocation, governance, or raw-call action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
channel, target = _get_openclaw_config()
        if channel and target:
            try:
                subprocess.run(
                    [
                        openclaw_bin,
                        "message",
Confidence
81% confidence
Finding
subprocess.run( [ openclaw_bin, "message", "send", "--channel",

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill frames itself as safe and read-only in parts of the manifest, but the setup flow instructs the agent to clone and execute a remote installer script automatically when a dependency is missing. Executing unaudited remote code during setup is a classic supply-chain risk and directly contradicts the safety framing, increasing the chance a user will trust and approve dangerous actions.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill explicitly directs cloning and running third-party code from GitHub as part of normal operation. Even if the repository is legitimate today, this creates a direct remote-code-execution supply-chain path outside the core AWP protocol actions, with access to the user's environment and potentially wallet-adjacent context.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The notification subsystem persists messages locally and can automatically forward them through OpenClaw to an external channel. That capability is broader than simple local monitoring and can leak operational details such as wallet address fragments, registration status, and worknet activity to third parties if configured maliciously or without informed consent.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script advertises itself as read-only and safe, but its returned nextCommand instructs users to clone a repository into /tmp and execute an install.sh script. That is a supply-chain and trust-boundary risk: operators may run arbitrary remote code under the assumption that the preflight step is non-mutating and safe.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
This script intentionally exposes a raw-calldata transaction primitive using the wallet's signing/session infrastructure. Although the destination is restricted to allowlisted AWP contracts and recognized WorknetManager addresses, the calldata itself is unconstrained, so any externally callable function on those contracts can be invoked, including admin-like, staking, approval, allocation, or value-bearing flows not reflected in the skill's task-oriented interface. In an agent-skill context, this materially expands the capability surface from predefined AWP operations to generic contract execution.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comments state that the separate WorknetManager check exists so claim flows can target those contracts safely, but the enforcement only verifies that the address is a recognized manager; it does not restrict calldata to claim-related selectors. As a result, any callable function on any active or paused WorknetManager can be invoked, which creates a misleading trust boundary and may let an attacker trigger unintended state changes through this supposedly safe path.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
A silently auto-starting background daemon that persists and writes files creates an autonomy and transparency risk, especially in an agent skill context. Even if the daemon is intended to be low-risk, starting it without an explicit contemporaneous warning or consent can violate user expectations and lead to unwanted monitoring, notifications, or persistence.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions normalize cloning and executing a remote installer without a strong, explicit warning that this runs third-party code on the host. In a skill that already has shell and network capabilities, that omission lowers user caution and increases the chance of unsafe approval of supply-chain actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The relay section documents gasless write endpoints such as bind, allocate, register, and worknet activation without an explicit warning that these calls submit real on-chain transactions and can change ownership, staking, delegation, or registration state. In an agent skill context, this omission increases the risk that an LLM or user treats them like harmless API calls, leading to unintended irreversible actions or signatures authorizing value-affecting operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document instructs users to generate signatures and submit them, along with wallet address and worknet metadata, to external AWP endpoints without an explicit privacy/trust warning or guidance on what data leaves the local environment. In a wallet/relay workflow, signatures are sensitive authorization artifacts, so omitting this notice can mislead users about off-chain disclosure and increase phishing, misuse, or unintended data-sharing risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
At the point of transmission, the daemon sends message text plus configured channel/target to OpenClaw without an interactive warning or per-send confirmation. In this skill context, the daemon is long-running and autonomous, so silent delivery to external messaging destinations meaningfully increases privacy and exfiltration risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script sends signed EIP-712 onboarding payloads to external relay endpoints, but it does not present an explicit user-facing warning at the point of transmission about what data is being sent, to whom, and what on-chain actions the signatures authorize. In a wallet/onboarding context, that omission can lead to users authorizing binding, registration, staking, or allocation actions without clear informed consent, especially because the flow is fully gasless and automated.

External Transmission

Medium
Category
Data Exfiltration
Content
**2. EIP-712 RegisterWorknet signature** (authorizes registration parameters):
```bash
# Get AWPRegistry nonce via JSON-RPC
NONCE=$(curl -s -X POST https://api.awp.sh/v2 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"nonce.get","params":{"address":"'$WALLET_ADDR'"},"id":1}' | jq -r '.result.nonce')
Confidence
90% confidence
Finding
curl -s -X POST https://api.awp.sh/v2 \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**3. Submit to relay:**
```bash
curl -X POST https://api.awp.sh/api/relay/register-worknet \
  -H "Content-Type: application/json" \
  -d '{
    "chainId": 8453,
Confidence
97% confidence
Finding
curl -X POST https://api.awp.sh/api/relay/register-worknet \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
**2. EIP-712 RegisterWorknet signature** (authorizes registration parameters):
```bash
# Get AWPRegistry nonce via JSON-RPC
NONCE=$(curl -s -X POST https://api.awp.sh/v2 \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"nonce.get","params":{"address":"'$WALLET_ADDR'"},"id":1}' | jq -r '.result.nonce')
Confidence
90% confidence
Finding
https://api.awp.sh/

External Transmission

Medium
Category
Data Exfiltration
Content
**3. Submit to relay:**
```bash
curl -X POST https://api.awp.sh/api/relay/register-worknet \
  -H "Content-Type: application/json" \
  -d '{
    "chainId": 8453,
Confidence
97% confidence
Finding
https://api.awp.sh/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.