Reva

Security checks across malware telemetry and agentic risk

Overview

This Reva wallet skill is mostly coherent, but it can move cryptocurrency without a clear final confirmation step and includes under-disclosed remote message handling.

Review this carefully before installing. Only use it if you trust Reva with wallet operations, install it on a trusted device, and manually confirm recipient, token, chain, and amount before every transfer. Treat ~/.openclaw/payid/auth.json as sensitive credentials and delete it or use logout when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares no permissions while explicitly instructing the agent to invoke local shell scripts for authentication, balance checks, and fund transfers. This mismatch weakens transparency and reviewability, making it easier for powerful local execution to bypass normal user expectations and platform policy controls.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The described purpose understates important behaviors: local token/session persistence, transfers to Twitter usernames, and forwarding messages to a remote service in multi-step transfer flows. Description-behavior mismatch is dangerous in a wallet skill because users and reviewers may not realize the skill stores credentials and can route transfer instructions through additional remote messaging logic.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: This script implements chat/message creation against /api/message/create-message, which is outside the stated wallet-management capabilities. That mismatch increases the risk of undocumented data flows and hidden functionality, especially because user-supplied messages and authentication tokens are transmitted to a remote service not justified by the manifest.

Context-Inappropriate Capability

Low

Confidence: 79% confidence
Finding: The script persists chat room state in ~/.openclaw/payid/room_state.txt even though local chat-session storage is not explained by the wallet-management purpose. While the stored value is only a room ID, undocumented persistence can create privacy surprises, enable cross-session correlation, and support hidden non-wallet functionality.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The login/register trigger language is broad enough to match common requests about account access, which can cause unintended invocation of an authentication workflow. In a financial context, accidental invocation increases phishing-like UX risk and may prompt users to reveal email or OTP data in contexts where they did not intend to authenticate.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: Phrases like 'view funds' or 'check how much money they have' are generic and may overlap with unrelated conversations about finances. In a wallet skill, this can trigger balance retrieval unexpectedly and expose sensitive financial information to the wrong conversational context.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The user-information trigger set is overly broad and includes many common profile and deposit-related terms. Because the action retrieves sensitive account metadata such as email, wallet address, referral code, and social linkage, ambiguous invocation can leak personal and financial identifiers unintentionally.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: Transfer triggers include very common language like 'pay someone' and 'send money,' which increases the chance of accidental activation in ordinary conversation. In a cryptocurrency wallet skill, ambiguous invocation is especially dangerous because it can lead the agent into gathering transfer details for an irreversible financial action.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The transfer instructions do not prominently warn that crypto transfers are irreversible and may result in permanent loss if the recipient or network is wrong. Missing this warning in a wallet skill materially increases user harm because users may treat the action as casually reversible like a chat or banking transfer.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This script performs a live funds-transfer operation immediately after constructing the payload, with no local confirmation, preview, or friction step before sending the request. In a wallet-management skill, that is dangerous because any upstream parsing error, prompt/agent mistake, or maliciously supplied recipient/amount can directly trigger irreversible crypto transfers.

Missing User Warnings

Medium

Confidence: 69% confidence
Finding: After successful verification, the script persists the returned authentication token via a helper script without any visibility into storage protections, expiration handling, or user consent. Persisting bearer tokens increases the risk of account compromise if they are stored insecurely, logged, or retained longer than necessary, especially in an agent skill that may run on shared systems.

Credential Access

High

Category: Privilege Escalation
Content: **Token Storage:** - Access tokens are stored locally in `~/.openclaw/payid/auth.json` with restricted file permissions (chmod 600) - This is a standard OAuth/JWT token pattern - tokens are stored locally for session persistence - Users can clear their token at any time by deleting the auth file or using the skill's logout functionality - Tokens expire and require re-authentication when invalid
Confidence: 78% confidence
Finding: Access tokens

Exfiltration Commands

High

Category: Prompt Injection
Content: ### Send Funds (Simple) 1. User: "send 0.01 usdt on bnb to aldo" 2. Forward message to Reva AI 3. Reva AI processes and sends funds 4. Display transaction confirmation with links
Confidence: 92% confidence
Finding: Forward message to

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal