ClawHub

Kite Agent Smart Wallet Permissionless Protocol V2

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Telegram-controlled Kite testnet wallet tool, but it gives chat commands direct signing power over wallet actions with too little access control or confirmation.

Install only if you understand that this runs a local Telegram bot with a hot private key capable of signing wallet operations. Use a fresh low-value testnet-only key, keep the bot private or add an allowlist, add confirmation before sends and permission changes, never commit .env files, and review or remove the GitHub publishing instructions before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This command handler directly exposes privileged on-chain wallet administration and transfer operations through chat commands, creating a dangerous trust boundary between untrusted messaging input and blockchain state changes. In this implementation, commands like /session, /limit, and /send can trigger real transactions without any demonstrated authentication, authorization, or binding between the Telegram user identity and the wallet owner address.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The bot exposes wallet creation, session-key management, spending-limit changes, and fund transfers directly through Telegram chat commands, but it never authenticates that the Telegram user is the actual blockchain wallet owner. Instead, it uses a single server-side private key for all on-chain actions and maps Telegram user IDs into wallet lookups, creating a dangerous trust boundary failure where chat input can trigger custodial blockchain operations. In this context, a messaging bot controlling irreversible asset actions is especially risky because compromise or misuse of the bot immediately translates into on-chain effects.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code loads a blockchain private key and Telegram bot token from environment variables, which is normal for operation, but here those secrets enable direct signing authority and bot control for sensitive financial actions. Because the skill has no visible access controls, audit logging, or key isolation, compromise of the runtime environment would allow an attacker to take over the bot and execute wallet operations with the signing key.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs the user to initialize and push the local skill directory to a public GitHub repository, but provides no warning to review the repository contents for secrets, tokens, credentials, local configuration, or proprietary files before publishing. In a skill/workspace context, this can easily lead to accidental disclosure of sensitive material because users may follow the steps verbatim.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The one-click GitHub CLI flow creates a public repository and immediately pushes the current directory without any confirmation to audit files or consider repository visibility. This increases the likelihood of rapid accidental data exposure, especially because the command combines repository creation and publication into a single streamlined step.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to place a raw wallet private key into an environment variable for a Telegram-based crypto wallet bot, but provides no warning about the sensitivity of that secret, storage risks, or safer alternatives. In this context, compromise of the host, shell history, logs, process environment, or accidental commits can expose the private key and lead to full theft or unauthorized transfer of wallet assets.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill enables wallet creation, session authorization, spending-limit changes, and fund transfers through a chat interface but does not warn users that blockchain transactions are irreversible and financially risky. In a wallet-control context, omission of these warnings can cause users to authorize or send funds without understanding the consequences, especially when Telegram commands make high-impact actions feel casual.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions tell users to place a private key and Telegram bot token in environment variables without emphasizing that these are highly sensitive secrets requiring secure storage and restricted access. In a wallet-management skill, compromise of either value can lead to wallet takeover, unauthorized bot control, or theft of funds, making this omission materially dangerous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide tells users to place a wallet private key in a local .env file but gives no warning that this credential grants full control of wallet funds and must never be exposed, committed, shared, or logged. In a Telegram bot context, this is especially risky because users may run the bot on developer machines or servers with weak file hygiene, making theft of the key and loss of funds more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation exposes a /send command that transfers funds but does not warn that blockchain transfers are typically irreversible and that recipient address and amount must be carefully verified before execution. In a chat-driven wallet interface, users are more prone to typo, copy/paste, or social-engineering mistakes, which can directly lead to unrecoverable asset loss.

Missing User Warnings

High
Confidence
99% confidence
Finding
The /session add and /limit set flows perform irreversible wallet-administration transactions immediately from a single command, with no confirmation step, no out-of-band approval, and no visible permission checks. If a user account, bot integration, or message source is spoofed or triggered unintentionally, an attacker could add a session key or alter the spending limit and materially weaken wallet security.

Missing User Warnings

High
Confidence
99% confidence
Finding
The /send command initiates an on-chain asset transfer directly from chat input without confirmation, recipient verification, transaction simulation, or any demonstrated access-control check. Because this is a funds-movement action, any misuse, spoofed identity, accidental command, or compromised bot channel could result in immediate and irreversible loss of assets.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest describes broad wallet control via Telegram without defining activation boundaries, approval requirements, or operational constraints. In a wallet-related skill, vague capability language can mislead users or host agents into granting overly broad authority, increasing the risk of unintended fund movement or unsafe invocation patterns.

Missing User Warnings

High
Confidence
92% confidence
Finding
The `/create` flow can immediately create an on-chain wallet with no confirmation, warning, or review step. Since blockchain transactions are irreversible and may incur costs or create persistent state tied to an incorrect identity mapping, accidental or unauthorized invocation can have lasting consequences.

Missing User Warnings

High
Confidence
99% confidence
Finding
Adding a session key is a privilege-granting wallet action, yet the bot performs it immediately from chat input without confirmation or secondary approval. A malicious or mistaken command could authorize another key with spending capability, effectively delegating wallet control and enabling theft or unauthorized transactions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The bot updates spending limits directly from a chat command without confirming the requested amount or verifying the caller's authority beyond Telegram interaction. Increasing or misconfiguring limits can weaken wallet safeguards and make subsequent unauthorized transfers far more damaging.

Missing User Warnings

Critical
Confidence
100% confidence
Finding
The `/send` command initiates an irreversible fund transfer from chat input alone, with no confirmation, recipient verification, anti-phishing protection, or cryptographic proof that the requester is authorized. In a Telegram bot context, this is extremely dangerous because typoed addresses, compromised chats, bot abuse, or flawed identity mapping can lead directly to permanent asset loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manual instructs users to manage a cryptocurrency wallet through Telegram chat commands, including sending funds and configuring authorization/session keys, but it does not clearly warn that these commands can trigger real on-chain actions and may be retained in Telegram chat history, notifications, logs, screenshots, or compromised devices. In this context, users may expose wallet addresses, transaction intents, limits, or other sensitive operational details, increasing the risk of unauthorized fund movement or privacy loss.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal