ClawPurse
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawPurse is a coherent crypto-wallet skill, but it gives agents high-impact authority to send or stake tokens and its own agent examples encourage bypassing confirmations.
Only install this if you are comfortable giving an agent access to a crypto wallet. Use a separate low-balance wallet, enforce the destination allowlist, avoid --yes and --override-allowlist in automation, keep the password out of global environment variables, and review the npm package/source before linking the CLI globally.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with access to the wallet password could send tokens without a final human confirmation or could bypass destination controls, potentially causing unrecoverable loss of funds.
The documented agent workflow includes a confirmation-bypass flag and an allowlist-bypass option for cryptocurrency transfers, which are high-impact financial actions.
Making Payments ... "Verify recipient is in allowlist (or use --override-allowlist)" ... "clawpurse send <address> <amount> --memo \"reason\" --yes"
Require explicit user approval for every send, stake, unstake, and redelegate action; keep allowlist enforcement on; avoid --yes and --override-allowlist in autonomous workflows; use a low-balance wallet for agents.
If the password is exported broadly or stored in logs/shell history, other processes or agent actions may be able to unlock and use the wallet.
The skill relies on a wallet password and local keystore; this is expected for a wallet, but it gives any process or agent with that password spending authority.
Set `CLAWPURSE_PASSWORD` to avoid passing password on every command ... `~/.clawpurse/keystore.enc` | Encrypted wallet
Prefer interactive entry or a restricted secret manager, avoid exporting the password globally, clear the environment after use, and protect ~/.clawpurse with strict file permissions.
If the package source or npm dependencies are not trusted, installing and globally linking the CLI could run or expose untrusted code in the local environment.
The install path is user-directed and coherent for a CLI tool, but npm install/link and a globally available wallet command are sensitive enough to require dependency and provenance review.
npm install && npm run build && npm link ... This makes the `clawpurse` CLI available globally.
Install only from a verified repository, review package.json/package-lock and lifecycle scripts, consider using an isolated environment, and avoid global linking until the code is vetted.
Tampering with the allowlist could cause future agent payments to trust the wrong destination, and receipts may reveal transaction history.
The skill stores persistent local state that records transactions and influences which destinations are trusted for future payments.
`~/.clawpurse/receipts.json` | Transaction receipts ... `~/.clawpurse/allowlist.json` | Trusted destinations
Protect the ~/.clawpurse directory, review the allowlist before automated payments, back up important wallet files securely, and treat receipts as sensitive financial metadata.
Users may overestimate the wallet's maturity and safety, especially for real funds.
The documentation includes strong production/security language while also acknowledging test configuration work remains; this is not malicious, but users should not treat the claims as independent assurance.
Known Issues & Next Steps ... tests ... require some configuration adjustments ... Production-ready code meeting industry standards
Treat security claims as marketing until independently verified, run tests yourself, review the source, and start with a small funded wallet.