Use Developer Controlled Wallets
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with Circle wallet management, but it includes unsafe examples that may print sensitive recovery-file data and omit transaction idempotency safeguards.
Use this only if you intend to build Circle developer-controlled wallet software. Before using it with real funds, remove any recovery-file logging, keep API keys and entity secrets in a secrets manager, add idempotency keys to all mutating calls, require explicit human confirmation for every transfer, default to testnets, and pin the Circle SDK dependency.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive wallet recovery data could be exposed in logs, increasing the risk that someone else could compromise or recover controlled wallets.
The snippet writes a Circle recovery file and then prints `response.data?.recoveryFile`. The same artifact describes the recovery file as sensitive, so this could place custody recovery material in terminal, tool, or chat logs.
recoveryFileDownloadPath: path.join(os.homedir(), ".circle", "recovery-file.json"), ... console.log(response.data?.recoveryFile);
Remove the `console.log(response.data?.recoveryFile)` line. Store the recovery file only in secure storage, show at most a safe path or checksum, and avoid sending recovery material through agent or terminal logs.
If copied directly, retrying or partially failing a transfer workflow could create duplicate or unreliable fund-movement behavior.
The transfer example is a mutating fund-movement call but does not include an idempotency key, despite SKILL.md stating that all mutating requests require a UUID v4 idempotency key.
const transferResponse = await circleDeveloperSdk.createTransaction({ walletId: "<source-wallet-id>", tokenId: "<token-id>", destinationAddress: "<destination-wallet-address>", amounts: ["0.01"], fee: { type: "level", config: { feeLevel: "MEDIUM" } } });Add a UUID v4 `idempotencyKey` to every wallet creation and transaction call, and keep an explicit user-confirmation gate for destination, amount, token, and network before any transfer.
Users may not receive an install-time warning that the skill expects sensitive Circle custody credentials.
The registry metadata does not declare credentials, while the skill instructions require `CIRCLE_API_KEY` and `ENTITY_SECRET` for a high-impact custody wallet integration.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare `CIRCLE_API_KEY` and `ENTITY_SECRET` in the skill metadata or clearly warn users before any workflow that needs them.
A future package update or dependency issue could affect wallet-management code that users build from these instructions.
The skill asks users to install an external npm package without pinning a version. This is purpose-aligned for the Circle SDK, but dependency provenance and version drift still matter.
npm install @circle-fin/developer-controlled-wallets
Pin the SDK version, use a lockfile, install from trusted registries, and review package updates before using them with real funds.