ClawHub
Back to skill

Security audit

Lista Wallet Connect

Security checks across malware telemetry and agentic risk

Overview

The skill largely does what it says, but it needs review because it can request wallet signatures and transactions while storing sensitive wallet/session artifacts locally with limited safeguards.

Install only if you are comfortable letting an agent initiate WalletConnect prompts for signatures and EVM transactions that you must review in your wallet. Use a limited-purpose wallet, avoid debug logging for real transactions, override the shared WalletConnect project ID if privacy matters, do not use --no-simulate unless you understand the transaction, and periodically delete saved sessions under ~/.agent-wallet when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The pair flow invokes platform shell commands via execSync to open a QR image path in the local system viewer. Even though the current path is internally generated, spawning shell commands is an unnecessary capability expansion for a wallet-connect skill and increases risk if path handling or invocation logic changes, especially in agent or shared-host environments.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The debug logging feature can write captured stdout/stderr and argv-derived context to an arbitrary file path supplied by CLI option or environment variable. Because this skill handles wallet addresses, signing requests, transaction data, auth messages, and signatures, the logger can silently persist sensitive operational data to disk outside the core function.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code hooks both stdout and stderr and persistently records every emitted line, plus structured JSON when present, to a file path controlled by CLI input or environment variables. In a wallet-connect skill, command output can easily include wallet addresses, session metadata, RPC responses, transaction payloads, signatures, errors, or other sensitive operational data, so this broad capture exceeds a narrow debugging need and creates a real data exposure surface.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The signed message explicitly states, "I authorize this AI agent to request transactions on my behalf," which grants broader delegated authority than simple wallet connection or one-off signing. Even if this is only an off-chain message, storing and treating it as authentication can be abused by the agent or backend as durable user consent for future actions the user did not intend at the time of signing.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The command invokes platform-specific shell commands via execSync to open a file path, which introduces shell execution into a feature that only needs to display a QR code. Although the current qrPath is internally constructed, using shell-based process launching creates unnecessary attack surface and can become exploitable if the path or execution context is influenced by environment quirks, quoting edge cases, or future code changes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill embeds and promotes use of a default WalletConnect project ID from a local .env, which can silently route agent activity through an external third-party service. Without a prominent privacy and network-use warning, users may not realize wallet metadata, pairing events, and related connection details are being sent off-box to external infrastructure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The auth flow stores sensitive session material to disk, including authSignature, authNonce, authTimestamp, account information, and session metadata, without encryption or any user-facing warning. Persisting reusable signatures and session state in a predictable location under the user's home directory creates a local credential exposure risk if the host is compromised, shared, or backed up insecurely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The debug log option records command activity and structured stdout/stderr to a file without clear warnings that sensitive material may be captured. Since outputs can include transaction context, wallet addresses, topics, auth messages, and signatures, enabling this feature can create a durable forensic trail of secrets and sensitive operations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When enabled, the logger writes all stdout/stderr content and also records process arguments to disk without any in-code notice, confirmation, or sanitization. Process arguments often contain wallet identifiers, RPC URLs, file paths, or even secrets passed by automation, so silent persistence increases the risk of credential leakage and forensic recovery by other local users or processes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The command persists authSignature, authNonce, authTimestamp, and authAddress in session storage, creating reusable sensitive authorization material. If local storage, logs, or downstream consumers are compromised, this data can be replayed or misused to assert prior user consent, especially because the signed text conveys broad transaction-request authority.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The command emits the WalletConnect pairing URI and related QR/file metadata in structured output and also writes the QR image to local storage. A WalletConnect URI is effectively a live pairing secret during its validity window, so exposing it to logs, upstream callers, agent transcripts, or shared files can let another party pair with the wallet session or observe sensitive connection metadata. In an agent/CLI context, JSON output is especially likely to be captured, persisted, or forwarded automatically, which increases disclosure risk.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
After approval, the code persists session details including wallet accounts, chains, wallet peer name, and creation time without explicit consent or disclosure. While this is not remote code execution, it creates a local privacy and operational security issue: account identities and wallet relationships may be exposed to other local users, backup systems, telemetry, or later compromise of the host. In a wallet-management skill, storing this metadata is contextually sensitive because it directly reveals blockchain addresses and connected wallet information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code persists wallet session data to a predictable file under the user's home directory without any access-control hardening, encryption, or user disclosure. In the context of a wallet-connect skill that handles signing and contract-call sessions, stored session metadata may enable unauthorized reuse of active sessions or expose sensitive wallet/account details to other local processes or users on the same system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When enabled, this code records stdout/stderr output and CLI arguments to a file, and it attempts to parse and preserve structured JSON content. In a wallet-connect skill, command output and arguments can plausibly contain wallet addresses, RPC payloads, transaction data, signatures, tokens, or other sensitive operational details, so silent file logging materially increases data exposure risk. The wallet-connect context makes this more dangerous because the tool handles high-value blockchain operations where leaked metadata or secrets can directly aid account compromise or privacy loss.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The code sends a transaction-derived 4-byte revert selector to an external third-party service (4byte.directory) during simulation without any visible disclosure, consent, or configuration gate. While the selector is only 4 bytes and usually low sensitivity, it can still leak metadata about user activity, contract interactions, or proprietary/custom error usage to an external observer, especially in a wallet-connect skill handling user-triggered blockchain operations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal