AgentWallet
WarnAudited by ClawScan on May 18, 2026.
Overview
AgentWallet is a disclosed crypto-wallet skill, but it gives an agent broad ability to unlock, sign, and send irreversible crypto transactions without clear per-transaction approval safeguards.
Install only if you intentionally want an AI agent to operate a crypto wallet. Before use, verify the npm package and source, use a separate low-value wallet, keep unlock sessions short, never leave tokens in logs or long-lived context, require explicit approval for every transfer or signature, and lock the wallet immediately when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wallet is unlocked, an agent error or unsafe prompt could move crypto funds irreversibly.
This exposes a non-interactive funds-transfer command using a session token, but the instructions do not require explicit user confirmation, spending caps, recipient checks, or a dry-run before a transfer.
agentwallet transfer -f <from_address> -t <to_address> -a <amount> --token <token> --json
Use only with explicit per-transaction user approval, low-value segregated wallets, recipient and amount review, and preferably a dry-run or sign-only step before broadcasting.
Anyone or any agent context with the token could potentially use the wallet until the token expires or is locked.
The session token appears to grant wallet operation authority for later commands, including transfers and signing, without documented scopes, per-action approval, or recipient/amount restrictions.
This returns `{"token":"awlt_...","expiresAt":"..."}`. Save the token for subsequent commands.Use the shortest possible session TTL, avoid storing tokens in long-lived context or logs, lock immediately after use, and require separate user approval for every spend or signature.
A compromised or different npm package version could expose wallet material or authorize unwanted transactions.
The high-impact wallet runtime is installed as an external npm package, while the provided artifact set contains no code files and the registry context lists the source as unknown, so the code handling keys and transactions is not reviewable here.
[0] node | package: agentwallet | creates binaries: agentwallet
Verify the npm package, repository, version pinning, and source code before installing; do not fund wallets created by this tool until the runtime is independently trusted.