ClawHub

ClawPurse

Security checks across malware telemetry and agentic risk

Overview

ClawPurse appears to be a real local blockchain wallet, but it needs Review because its agent-facing guidance normalizes automated fund transfers with confirmation and allowlist bypasses.

Install only if you are comfortable giving an agent access to a wallet that can move or stake real funds. Use a low-balance wallet, enforce allowlists, avoid --override-allowlist and --yes except in tightly controlled automation, keep mnemonics out of environment variables and command history, and review plaintext receipt storage on shared or backed-up machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (25)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The function and its documentation claim to securely wipe a string from memory, but in JavaScript strings are immutable, so returning an empty string does not erase the original secret from memory. In a wallet/security utility context, this can mislead developers into believing mnemonics, passwords, or private material were cleared when they may still remain in memory, logs, heap snapshots, or crash dumps longer than expected.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide explicitly tells users to drag-and-drop the package into an existing repository and approve all replace/merge conflicts, but it does not require reviewing diffs, backing up current state, or validating file provenance first. This creates a supply-chain and integrity risk because users may overwrite trusted code, workflows, or configuration with unreviewed content, including potentially dangerous CI or website changes.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The guide instructs users to create GitHub secrets for third-party services without adjacent guidance on least privilege, token scope, storage hygiene, or verifying the trustworthiness of those external integrations. While adding secrets to GitHub is standard, omission of credential-handling precautions increases the chance of accidental exposure or overprivileged token use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quick-start instructs users to initialize a wallet and send a transaction using real-looking commands, but it does not warn that these actions may affect real funds, expose secrets through shell history, or create irreversible blockchain transactions. In a wallet/CLI context, omission of safety guidance materially increases the risk of accidental loss, misuse of production accounts, and unsafe password handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly documents using `CLAWPURSE_PASSWORD` for wallet access but does not warn that environment variables are often exposed through process listings, shell history, crash dumps, CI logs, or inherited child processes. In an agentic or automation setting, this increases the chance that a wallet password is stored or propagated insecurely, weakening the protection of the encrypted keystore.

Missing User Warnings

High
Confidence
99% confidence
Finding
Documenting `CLAWPURSE_MNEMONIC` without a strong warning is dangerous because a mnemonic is the wallet's root secret and full account compromise follows if it is disclosed. Environment variables are particularly risky in automated and agent-driven workflows because they are easily leaked via logs, debugging tools, subprocess inheritance, shell startup files, and orchestration platforms.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly instructs agents to use `--yes` for staking and payment flows, which normalizes skipping human confirmation on irreversible blockchain transactions. In a wallet skill intended for agents and automation, this materially increases the chance of accidental, unauthorized, or prompt-influenced asset transfers without a meaningful last-step safety check.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation recommends setting `CLAWPURSE_PASSWORD` without warning that environment variables may be exposed through shell history, CI logs, process inspection, inherited environments, or shared automation runners. Because this skill manages a cryptocurrency wallet, weak secret-handling guidance can directly lead to keystore compromise and theft of funds.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes a one-line example that combines `--override-allowlist` with `--yes`, which bypasses destination guardrails and suppresses confirmation before a fund transfer. Although there is a brief generic caution earlier, this specific example does not clearly state that it can immediately broadcast funds to an untrusted address, making accidental misuse more likely in a wallet/transaction context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This workflow recommends a test send to a new address using `--override-allowlist --yes`, effectively disabling both the allowlist safeguard and the interactive confirmation step. In a cryptocurrency wallet context, that combination materially increases the chance of irreversible misdirected transfers, especially when copied verbatim by operators following setup guidance.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide recommends placing the wallet mnemonic and password in environment variables as a convenience feature, but does not pair that with a prominent warning about exposure. In practice, environment variables can leak through shell history, process listings, crash reports, logging, shared session tooling, or inherited subprocess environments, which is especially risky for wallet secrets.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The example normalizes use of the `--yes` flag to bypass large-amount confirmation without an explicit warning that this removes an important safety control. In an agentic or scripted context, this makes accidental or malicious high-value transfers easier because the operator may copy the example verbatim and disable the confirmation intended to prevent mistakes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI explicitly accepts secrets via `--password`, and elsewhere also accepts `--mnemonic`, which exposes highly sensitive material through shell history, process listings, audit logs, and CI/job telemetry. In a wallet context this is especially dangerous because disclosure of the password or mnemonic can lead to keystore compromise and full asset theft.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persistently stores transaction receipt data in a predictable file under the user's home directory, including addresses, amounts, memos, timestamps, and transaction hashes, without any access controls, encryption, redaction, or indication of user consent in this component. While this appears intended for audit/history functionality rather than abuse, it creates a privacy and local data exposure risk if the host is shared, backed up to third-party services, or compromised by other local software.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The quick-start block includes real token-transfer and staking commands with no adjacent warning that these actions are live, irreversible on-chain operations and may move funds if copied verbatim into a configured wallet. In an agent-skill context, terse operational examples can be executed by users or automation with limited scrutiny, increasing the chance of accidental loss or unintended delegation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start section includes live token transfer and staking commands but does not warn users that these actions are irreversible and affect real on-chain assets. In an agent-skill context, users or automated systems may copy and execute these commands verbatim, increasing the chance of accidental fund loss, misdirected transfers, or unintended staking operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The quick-start section includes live-looking wallet commands for sending tokens and staking without any adjacent warning that these are irreversible on-chain financial actions. In an agent-skill context, users or autonomous systems may copy these commands directly, increasing the risk of accidental fund transfer, staking lockup, or use of an incorrect recipient or validator.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The page explicitly promotes autonomous agent payment behavior, including detecting 402 responses, paying on-chain, and spending from prepaid balances, but does not provide a clear user-facing warning that agents can autonomously spend real funds. In this skill context, that omission materially increases risk because the content is aimed at integrating payment-capable agents rather than passive human readers.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The quick-start section instructs users to initialize a wallet, send tokens, and stake funds without any visible caution that blockchain transfers and staking actions can be irreversible, may incur fees, and may lock funds during unbonding. In a finance and agent-automation context, this omission increases the chance that users or integrated agents execute real-value transactions unsafely or on the wrong network/address.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start section includes live blockchain commands for sending tokens and staking without any nearby warning that these actions can move real funds and may be irreversible. In the context of an agent skill and automation-oriented documentation, users or agents may copy these commands directly into a real environment, increasing the chance of unintended financial loss.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick-start section includes live token transfer and staking commands that can move real funds or lock assets without any surrounding warning about irreversibility, environment separation, testnet usage, or operator review. In an agent-oriented payment skill, users or autonomous systems may copy these commands directly, increasing the risk of accidental mainnet transactions, staking mistakes, or loss from unsafe operational use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The quick-start section includes a live token transfer example (`clawpurse send ... 1.25 --password <pass>`) without any adjacent warning to verify the recipient, amount, network, or whether real funds are being used. In a wallet/agent-payment context, copy-pasteable transfer commands materially increase the chance of accidental fund loss, especially for users or agents following setup steps mechanically.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The quick-start block includes live wallet, transfer, and staking commands using real blockchain addresses and passwords, but provides no warning that these actions can move irreversible funds on-chain. In an agent-skill context, concise command snippets may be copied or executed automatically, increasing the chance of accidental transfers, staking, or use against production wallets.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The quick-start block includes live wallet operations such as sending funds and staking tokens, but presents them as routine setup steps without any nearby warning that these actions are financially consequential and may be irreversible. In an agent skill or onboarding context, users may copy-paste commands blindly, increasing the risk of accidental loss of funds, mistaken transfers, or premature staking of assets.

Ssd 4

Medium
Confidence
94% confidence
Finding
The payment workflow tells the operator to verify allowlisting 'or use `--override-allowlist`', which undermines the very recipient safeguard meant to prevent transfers to untrusted addresses. In the context of an agent-accessible wallet, this makes prompt injection, operator error, or malicious tasking more likely to result in funds being sent to attacker-controlled destinations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal