Skillv2.0.5

ClawScan security

Kite Agent Smart Wallet Permissionless Protocol V2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 3:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code implements a Telegram-controlled testnet wallet and mostly matches its description, but there are inconsistent/missing requirement declarations (env names), minor scope creep in logging and repo-push instructions, and other mismatches that warrant caution before installing or trusting secrets to it.
Guidance: What to consider before installing or running this skill: - Origin & trust: The skill's source is listed as unknown. Prefer code from an identified, trusted repository/author. If you don't know the author, treat the package as untrusted. - Secret handling: The bot requires a private key and a Telegram token. Do NOT use a real/mainnet/private key. Use an empty/test wallet with minimal funds. Keep secrets out of repository commits — remove or gitignore your .env before pushing. GITHUB-SETUP.md includes push instructions; follow them only after scrubbing secrets. - Env name mismatch: The two JS files expect different env var names (telegram-bot.js expects PRIVATE_KEY and TELEGRAM_BOT_TOKEN; kite-wallet.js looks for KITE_WALLET_PRIVATE_KEY). Confirm which entrypoint you run and set the correct variables. Fix the code or env names before deploying to reduce confusion. - Logging & leakage: The bot prints the wallet address to stdout. If you run this on a shared machine or CI, logs could leak sensitive info. Run in an isolated environment (local machine or container) and avoid log aggregation that might capture secrets. - Test first: Run against the Kite testnet with a throwaway key and small test funds. Verify contract addresses on the provided explorer (testnet.kitescan.ai) and confirm factory behavior before using any valuable funds. - Code audit suggestions: Inspect/patch to (1) unify env variable names; (2) avoid printing private-related info to logs; (3) ensure input validation of Telegram commands and addresses; (4) ensure userId is correctly mapped to an Ethereum address (current code passes Telegram numeric userId where an address is expected, which looks like a bug). - Safer alternatives: If you need stronger security, sign transactions offline or use a hardware wallet / dedicated signing service rather than placing a raw private key in a .env file. If you want, I can produce a short checklist and minimal code edits to reduce the biggest risks (unify env names, stop logging sensitive fields, add warnings before pushing to GitHub).

Review Dimensions

Purpose & Capability: noteThe stated purpose (Telegram control of a Kite AI testnet smart wallet) matches the code: telegram-bot.js and kite-wallet.js implement create/balance/session/limit/send commands and call a factory contract on the testnet RPC. However the registry/metadata claims no required env vars or primary credential while the code clearly requires a private key and Telegram bot token (inconsistent declarations).
Instruction Scope: concernSKILL.md and README instruct the user to set PRIVATE_KEY and TELEGRAM_BOT_TOKEN and run node telegram-bot.js — that aligns with telegram-bot.js. But kite-wallet.js expects a different env name (KITE_WALLET_PRIVATE_KEY), and both JS files log wallet.address to stdout (potentially leaking sensitive data in logs). GITHUB-SETUP.md includes steps to push the repo to GitHub — combined with .env usage this risks accidental exposure of private keys if users follow that without removing .env. The code talks to only expected endpoints (rpc-testnet.gokite.ai and api.telegram.org) and does not exfiltrate to unknown domains, but the mismatched env names and logging are scope concerns.
Install Mechanism: okThis is an instruction-only skill with included Node.js source and a standard package.json (ethers, dotenv). There is no remote download/install of arbitrary binaries or external archives; npm install is expected. No high-risk install URLs or extract steps are present.
Credentials: concernThe skill reasonably needs a private key and a Telegram bot token to operate. However the registry metadata lists no required env vars while SKILL.md and the code require PRIVATE_KEY/TELEGRAM_BOT_TOKEN (telegram-bot.js) and KITE_WALLET_PRIVATE_KEY (kite-wallet.js) — this inconsistency can lead to misconfiguration and accidental key exposure. The number of secrets requested is proportionate, but the mismatch in env names and guidance to push repositories increases risk.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system-wide settings, and runs locally as a user process. It uses standard network APIs to talk to Telegram and the testnet RPC. No persistent privileged installation behavior is present.