ClawHub

ERC8004 Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but needs review because it gives an agent wallet-signing power and tells it to store login tokens in a public memory file.

Install only if you are comfortable with a high-impact wallet/signing integration. Use a fresh low-value wallet, prefer testnets, audit or pin the external SDK and proxy before production use, require explicit approval before each signing or onchain transaction, and do not store SIWA/JWT session tokens in MEMORY.md or any shared agent memory file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation explicitly requires stopping after wallet creation until the user funds the wallet, but the advertised full-flow command proceeds directly into registration. In this skill context, that mismatch is operationally dangerous because it can trigger failing onchain transactions, confuse the user about required funding, and encourage unsafe automation of state-changing blockchain steps without an explicit checkpoint.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill makes a strong security claim that the private key never enters the agent process, but later introduces an alternative path that allows direct private-key handling. That contradiction is dangerous because agents or integrators may rely on the stronger guarantee and then unknowingly adopt a workflow that defeats the isolation model, increasing exposure to prompt injection, memory scraping, logging leaks, or accidental persistence.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documented keystore API promises operations that never expose the private key, but later guidance points users toward a direct private-key workflow via an alternate SDK path. This undermines the trust boundary the document establishes and can cause unsafe implementation choices based on misleading security assumptions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The template explicitly states that only public identity data should be stored in MEMORY.md, but elsewhere reserves space for SIWA session tokens. Session tokens are authentication artifacts, not public identity data, and storing them in a general memory file risks credential disclosure, replay, or unintended persistence beyond their intended lifetime.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The 'Sessions' section instructs agents to record SIWA session tokens in a file meant for persisted public identity state. If this file is read by other tools, committed, synced, or exposed to users, the tokens could grant unauthorized authenticated access until expiry or revocation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents a reset command that clears MEMORY.md and keystore state, but it does not warn that this is destructive or require confirmation before use. In an identity-management skill, silent state deletion can break authentication, lose local registration context, and cause accidental disruption of agent identity operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs persisting SIWA session tokens in MEMORY.md, which is a general-purpose agent memory file and may be readable by other tools, prompts, logs, or users. Storing bearer tokens in plaintext creates a credential exposure risk because anyone who can read the file may be able to reuse the session.

Credential Access

High
Category
Privilege Escalation
Content
**Recommended: Deploy to Railway with one click:**

[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/deploy/siwa-keyring-proxy?referralCode=ZUrs1W)

Set `KEYRING_PROXY_SECRET` (shared HMAC secret) and either `KEYSTORE_PASSWORD` (for encrypted-file backend) or `AGENT_PRIVATE_KEY` (to use an existing wallet). After deployment, configure your agent with:
Confidence
88% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
## Important Notes

- **Private keys are NEVER accessible to you.** All signing is delegated to the keyring proxy over HMAC-authenticated HTTP. This is by design — even if you are compromised, the key cannot be extracted.
- **NEVER call the keyring proxy HTTP endpoints directly.** Always use the SDK functions (`createWallet()`, `signMessage()`, etc. from `@buildersgarden/siwa/keystore`) or the CLI commands listed above. The proxy uses a specific HMAC-SHA256 authentication protocol that the SDK handles internally — hand-crafting HTTP requests to the proxy will fail. If you cannot install the SDK, see the "Fallback: Manual HMAC authentication" section in SKILL.md for the exact protocol specification.
- **MEMORY.md** in `siwa/packages/siwa-testing/` contains your public identity state (address, agentId, registration status). Read it to know your current state.
- **Proxy backend is auto-detected** from `KEYRING_PROXY_URL` — no need to set `KEYSTORE_BACKEND` manually.
- If a command fails with "Cannot find module", run `cd /home/node/.openclaw/workspace/siwa/packages/siwa-testing && pnpm install` first.
Confidence
83% confidence
Finding
keyring

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal