ClawHub

Ika Sdk

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only SDK guide for Ika wallet signing; it is coherent, but users must treat the examples as sensitive financial-key and transaction code.

Install only if you intend to build with Ika dWallets and understand wallet-signing risk. Do not hardcode, paste, log, or expose real seeds, private keys, decryption keys, or secret shares to an agent or source repository. Run examples on testnet first, verify the selected network, inspect every transaction before signing, and use shared or autonomous signing only when that authority model is intentional.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents generating encryption keys from a seed and exposes direct accessors for sensitive decryption material (`decryptionKey`, serialized key bytes) without any warning about secure storage, secret redaction, or avoiding logs/client-side leakage. In a wallet and signing SDK context, this omission can lead developers to hardcode seeds, persist secrets insecurely, or expose private key material, which can enable wallet compromise and unauthorized signing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation provides ready-to-use transaction signing and execution examples (`signAndExecuteTransaction`, DKG/sign requests) without warning that these operations submit real on-chain actions that may spend funds, create capabilities, or authorize irreversible blockchain state changes. In a cross-chain signing skill, developers may copy examples into production or point them at mainnet/testnet with real assets, increasing the chance of accidental fund movement or unintended authorization.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal