ClawHub

Use User Controlled Wallets

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only Circle wallet integration guide with real wallet-token handling risks, but the behavior is disclosed, purpose-aligned, and user-controlled.

Install this only for building a Circle user-controlled wallet integration. Treat the snippets as starter code: keep CIRCLE_API_KEY on the backend, pin dependencies, use testnets while developing, require clear confirmation before transfers, and replace localStorage or script-readable cookie storage of wallet auth secrets before production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The frontend stores `userToken` and `encryptionKey` in `localStorage`, which is persistently accessible to any JavaScript running in the origin, including injected script from an XSS flaw, compromised third-party dependency, or malicious browser extension. In this skill context, those values are authentication material for a non-custodial wallet flow, so theft could enable unauthorized wallet operations or impersonation within the Circle SDK session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example stores `userToken` and `encryptionKey` in `localStorage`, which is readable by any JavaScript executing in the page origin, including code introduced through XSS, compromised third-party scripts, or browser extensions. In this skill's context, these values are wallet-authentication material for a non-custodial wallet flow, so exposure could enable unauthorized challenge execution or wallet operations during the token lifetime.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example persists highly sensitive secrets (`userToken`, `deviceToken`, `deviceEncryptionKey`, and `encryptionKey`) in browser cookies across OAuth redirects. If these cookies are accessible to client-side JavaScript, exposed via XSS, mis-scoped, or transmitted without strict cookie attributes, an attacker could steal wallet-authentication material and potentially complete wallet operations or impersonate the user in backend calls. In a wallet-authentication flow, this is more dangerous than a typical web session example because the stored values directly protect access to non-custodial wallet actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document describes creating token transfers to a user-provided destination address without an explicit warning that blockchain transfers are generally irreversible and that a wrong or maliciously substituted address can permanently drain funds. In this wallet context, omission of that warning increases the chance that integrators build unsafe UX flows that submit unverified recipient addresses or fail to require strong user confirmation before authorization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal