Back to skill

Security audit

Use Modular Wallets

Security checks across malware telemetry and agentic risk

Overview

This is a wallet-development guide with real asset and credential risks, but the behavior is disclosed, aligned with its purpose, and constrained by safety instructions.

Install only if you are building Circle modular wallet functionality. Treat the snippets as development references: use testnets first, do not use localStorage for production credential storage, keep client keys and recovery phrases out of prompts/logs/source control, and require explicit user review before any mainnet transfer or recovery action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example persists the WebAuthn credential object in localStorage without any warning about the security implications. localStorage is readable by any JavaScript running in the origin, so an XSS bug, compromised dependency, or browser extension could expose credential metadata/session state and facilitate unauthorized wallet use or account tracking; in the same example, the stored credential is directly used for creating a smart account and sending sponsored on-chain transfers, increasing the practical risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example persists the newly registered credential object to localStorage, which is accessible to any JavaScript running in the origin, including code injected via XSS or compromised third-party dependencies. In a wallet recovery context, storing authentication-related material client-side without clear storage hardening or user warning increases the chance of account compromise or privacy leakage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.