Use Modular Wallets
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Circle wallet-development guide, but it involves real wallet authority such as transfers, recovery phrases, and credential persistence that users should handle carefully.
This skill appears safe as an instruction-only wallet SDK guide, but use it carefully: verify the official Circle packages and documentation, keep client keys and recovery phrases out of repositories and logs, avoid localStorage for production credential storage, and require explicit user approval before any real token transfer or recovery action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent following these examples could create real blockchain transactions and transfer tokens.
The reference shows how to submit on-chain wallet operations, including token transfers. This is expected for a wallet SDK guide, but it can move funds if used with real accounts.
const userOpHash = await bundlerClient.sendUserOperation({ account, calls: [callData], paymaster: true, })Only execute transfer code after confirming recipient, amount, token, and network, and test on supported testnets before using mainnet.
Anyone who obtains the recovery phrase may be able to recover or take control of the smart account.
The recovery mnemonic can authorize account recovery and replacement of the lost passkey, so it is effectively wallet-control material.
The user must save this phrase securely -- it is the only way to recover the account if the passkey is lost.
Generate and store recovery phrases outside the repository, never log or commit them, and require explicit user consent before recovery operations.
If this pattern is copied into production, credential-related wallet session data may be easier for malicious browser scripts to access.
The example persists a passkey credential in browser localStorage. SKILL.md warns this is only for quick examples and not for production, but copied production use could expose credential data to XSS or unintended reuse.
localStorage.setItem('credential', JSON.stringify(credential))Use secure production storage such as httpOnly cookies or another appropriate session mechanism, and avoid storing wallet credential data in localStorage for production apps.
Users may need Circle Console configuration that was not reflected in the registry requirements.
The skill documents Circle client configuration even though the registry metadata declares no required environment variables or primary credential. This appears expected for Circle integration, but users should notice the setup requirement.
CLIENT_KEY= # Circle Console client key for app identification CLIENT_URL= # Circle Client URL
Treat Circle client keys and URLs as project configuration, keep them out of source control, and verify the required scope in Circle Console.