Kaspa Wallet
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Kaspa wallet, but it asks for full wallet secrets and can send cryptocurrency, including the entire balance, without clearly declared credentials or confirmation boundaries.
Only install this if you intentionally want an agent-accessible Kaspa wallet. Do not use a wallet containing funds you cannot afford to lose, and require manual confirmation for every send transaction. Review the dependency installation before exporting any private key or mnemonic.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent runs the wrong send command or uses the wrong address, funds could be irreversibly transferred on-chain.
The skill exposes a high-impact transaction command that can transfer the wallet's entire balance, with no artifact-backed requirement for explicit user confirmation before execution.
./kaswallet.sh send <address> max # Send entire balance
Require explicit user approval before any send, especially for 'max', showing recipient address, amount, network, and estimated fee.
Giving the skill a private key or seed phrase gives it control over the associated KAS funds.
These are full wallet secrets that authorize spending. The registry metadata declares no primary credential or required env vars, so the permission boundary is under-disclosed.
export KASPA_PRIVATE_KEY="64-character-hex-string" # OR export KASPA_MNEMONIC="your twelve or twenty four word seed phrase"
Use only a limited-purpose wallet, prefer testnet for testing, and ensure the registry metadata declares the credential requirements clearly.
A future or unexpected dependency version could behave differently while handling wallet secrets or transactions.
The dependency is specified without a pinned version or hash. Because the dependency handles wallet operations, changes in the upstream package could affect key handling and transactions.
kaspa
Pin the dependency version and, ideally, verify package hashes or review the installed package before using real funds.
The first wallet command may create a virtual environment and install packages before performing the requested action.
If the virtual environment is missing, invoking the wallet wrapper automatically runs the installer. This is purpose-aligned but means a normal wallet command can trigger local install code.
echo "Python venv not found. Bootstrapping with: $PY install.py" >&2 "$PY" install.py >&2
Run and review the installation step manually before setting wallet secrets or using the send command.