Skillv0.1.1

ClawScan security

Lista Wallet Connect · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 10:21 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its WalletConnect purpose, but it asks the agent to auto-run installs/CLI actions, persists sensitive session/signature data to disk, and includes global debug-logging that can capture stdout/stderr — these behaviors are coherent with the feature set but raise data-exfiltration and scope concerns that deserve user review before install.
Guidance: This skill appears to implement WalletConnect pairing and EVM transaction signing as described, but it gives an agent the authority to run node/npm commands, install dependencies, and write files in your home directory. Key points to consider before installing: - The skill will emit and persist pairing URIs, session topics, and consent signatures (authSignature) to local files (~/.agent-wallet/sessions.json and QR image files). Those values are sensitive — anyone who receives them can pair or replay approval flows. - SKILL.md instructs the agent to automatically run npm install / npm run build if needed. Allowing that gives the skill network access to fetch npm packages and write code under the workspace. If you restrict network or installation, ensure dist/ is present and up-to-date. - The debug logging component patches stdout/stderr and can write everything the CLI prints into a specified file. Avoid enabling debug logs or providing paths that could be routed to external channels. - The skill outputs the pairing URI and QR image; the agent must avoid sending these to third-party channels. Confirm your agent honors the documented 'do not disclose' rules and requires explicit user confirmation before any signing/transaction. Recommendations: review the included source (already present in the package), remove or replace the bundled .env default project id if you prefer your own, run the CLI in a restricted/test environment first, and ensure you will be prompted for consent before any transaction. If you cannot review or control the agent's runtime behavior (automatic installs, file writes, debugging file paths), consider not installing or only using a vetted alternative.

Review Dimensions

Purpose & Capability: noteName/description align with included code: WalletConnect v2 pairing, signing, and contract calls for eip155:1 and eip155:56. However the skill ship includes a default .env with a WALLETCONNECT_PROJECT_ID and code that will read that .env into process.env even though the registry metadata declared no required env vars; this is plausible but should be visible to the user.
Instruction Scope: concernSKILL.md instructs the agent to run CLI/setup commands itself (npm install, build, run node) and to auto-fix missing deps in the workspace without asking the user. The CLI emits pairing URIs, QR paths, and session topics to stdout (as JSON) and the SKILL.md relies on the agent to avoid leaking those; the code also persists session and auth data (including authSignature) to disk. Those runtime instructions give the agent broad discretion to execute network installs, write to the host filesystem, and produce outputs that contain sensitive pairing URIs and cryptographic signatures — raising scope and data-leak risk unless the agent enforces the documented 'do not disclose' rules.
Install Mechanism: noteNo formal install spec is declared (instruction-only), but full source + package.json are included, and SKILL.md tells the agent to run npm install && npm run build if dist/ is missing. That implies network package installs at runtime (moderate risk). No external downloads from untrusted URLs are present in the files themselves.
Credentials: concernThe skill does not request unrelated credentials, and uses a WalletConnect project id (default embedded in .env) which is appropriate. However it writes session state (including authSignature from consent signatures) to ~/.agent-wallet/sessions.json and saves QR images under the same directory. Persisting signatures and session topics is sensitive and not declared in metadata as a persistent config path; debug logging can capture stdout/stderr (which include pairing URIs and payloads) and write them to any file path provided, increasing exfiltration risk if misused.
Persistence & Privilege: noteThe skill persists its own state to the user's home directory (~/.agent-wallet) and may create files (qr images, wc-store database). always:false (good). The agent is instructed to run commands autonomously (normal for skills), but the 'auto-fix dependencies' instruction means the agent may perform network installs and write to disk without additional user prompts — this is a behavioral privilege that users should consciously accept.