Agent Pulse (Deprecated)

Security checks across malware telemetry and agentic risk

Overview

This deprecated wallet skill is currently disabled at runtime, but it still contains conflicting active-use instructions and dormant private-key, on-chain transaction, API, and cron code.

Treat this as an archived package, not an active wallet tool. Do not provide a main wallet private key or rely on its README quick start. The current scripts stop immediately, but the package still carries stale code for private-key use, remote API calls, token approvals, and recurring automation. Review any replacement x402janus skill separately before running migration commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (16)

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The README conflicts with the declared skill metadata by presenting an active operational wallet-enabled skill while the manifest says this package is deprecated and archived. That mismatch can mislead users into exporting a private key, granting token allowances, and running automation under false assumptions about maintenance, review status, or intended functionality.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill is labeled deprecated/archived, but the script still contains active logic to contact a remote service and process monitoring data. Even though the current first executable line exits immediately, shipping dormant but functional network-monitoring code in an archived skill is risky because the early exit can be removed, bypassed, or changed later, and users or downstream tooling may rely on misleading metadata when assessing trust and maintenance state.

Intent-Code Divergence

Low

Confidence: 85% confidence
Finding: The script immediately prints a deprecation message and exits, but the remainder of the file documents and implements a working monitor for a different service. This inconsistency is dangerous because it can mislead reviewers and users about what code is present, complicate security review, and conceal latent network-capable functionality that could become active through small modifications or partial reuse.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The file presents itself as deprecated/archived, yet still contains fully implemented logic for API-driven and on-chain pulse operations. This mismatch is dangerous because reviewers or users may trust the deprecation banner and overlook sensitive functionality, especially wallet-related behavior, creating a deceptive and high-risk maintenance posture.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script accepts a blockchain private key and uses it to submit token approval and pulse transactions on-chain. In the context of an archived/deprecated skill, retaining active signing capability is especially dangerous because it can trigger real asset-affecting actions while appearing inert or unsupported.

Context-Inappropriate Capability

Critical

Confidence: 99% confidence
Finding: The script conditionally sends PRIVATE_KEY to an external API in the X-PRIVATE-KEY header. Exfiltrating a raw blockchain private key over the network is extremely dangerous because compromise of that endpoint, logs, intermediaries, or misconfiguration can result in total wallet takeover and irreversible asset theft.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The script immediately prints a deprecation message and exits, but the file still embeds detailed active operational documentation and implementation below. This inconsistency increases the chance that the code is later re-enabled, copied, or partially reused without proper review, especially for sensitive wallet and transaction logic.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The file advertises itself as deprecated and exits immediately, but still contains complete logic to send a pulse, require a wallet private key, and create a persistent cron job. Retaining live operational code in an archived skill creates a high-risk mismatch: if the early exit is removed, bypassed, or the file is repurposed, users may unknowingly run wallet-related automation they were told was inactive.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: The script requires PRIVATE_KEY even though the skill is described as deprecated and archived, which can mislead users into exposing sensitive wallet credentials to obsolete code. In skill ecosystems, requesting secret material from a deprecated component is especially dangerous because users may assume it is inert or only informational, lowering their guard around credential handling.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script installs a recurring openclaw cron job that runs every 6 hours, creating persistent scheduled execution from an archived skill. Persistence is a significant security concern because it survives the initial run, can continue invoking wallet-related scripts without fresh user review, and contradicts the expectation that a deprecated skill should not modify the user's environment.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The file immediately prints that the skill is deprecated and exits, yet the presence of full setup code underneath creates a deceptive maintenance state and increases the chance of accidental reactivation during edits, merges, or partial reuse. This inconsistency is dangerous because operators and reviewers may incorrectly trust the artifact as inert while it still contains capability to access secrets and establish persistence.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script sends wallet-identifying data to a third-party remote API and also supports passing a private key as a command-line argument, which can be exposed via shell history or process listings. In an agent skill context, this is more dangerous because users may assume local analysis while the skill transmits sensitive financial context off-host with limited runtime disclosure.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: API mode sends PRIVATE_KEY in an HTTP header without an explicit warning or confirmation at the moment of transmission. Because a raw private key grants full control of blockchain funds, silently forwarding it to a remote service is an unsafe secret-handling pattern with severe compromise potential.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script requires a raw PRIVATE_KEY in the environment and later uses it to sign a blockchain transaction when --auto-approve is enabled, without an additional confirmation prompt at signing time. Even though the script currently exits immediately as deprecated, the code path is still risky if that guard is removed or bypassed, because environment-stored private keys are easy to leak via shell history, process environment exposure, logs, or CI configuration.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script creates a persistent cron job without any interactive confirmation or explicit warning at the point of installation. Silent persistence is risky because users may not realize they have authorized recurring execution of wallet-related automation, and this is more concerning in an archived skill where behavior is already at odds with the stated deprecation context.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: info "Registry approved (allowance: $ALLOWANCE wei)" else warn "Registry not yet approved." if [[ "$AUTO_APPROVE" == "true" && "$RESULT_BALANCE" != "0" ]]; then # Bounded approval: 1000 PULSE (enough for ~1000 pulses before re-approval) # Use --max-approve flag for unlimited approval if needed APPROVE_AMOUNT="1000000000000000000000" # 1000 * 1e18
Confidence: 88% confidence
Finding: AUTO_APPROVE

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal