ClawHub

2026 02 10 Clawhub Base Wallet 1.5.0

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate wallet skill, but it handles raw crypto private keys and remote account registration in ways users should review carefully before installing.

Install only if you are comfortable with an agent-accessible crypto wallet. Use a fresh low-value wallet, avoid copying private keys into shell history or shared .env files, prefer an external secret manager where possible, review any BaseMail registration before signing, and do not fund the wallet beyond what you are prepared to lose.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents use of environment variables and outbound RPC/network access, but no permissions are declared. In an agent setting, undeclared access to secrets and network resources weakens sandboxing and informed consent, making it easier for the skill to exfiltrate wallet material or perform unintended remote actions. Because this is a wallet skill handling private keys, missing permission declarations are more dangerous than in ordinary utility skills.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented behavior exceeds or differs from the stated purpose: it includes BaseMail account registration, local metadata storage, and balance checks, while the description also claims transaction sending capability that may not actually exist. This mismatch is dangerous because operators may grant trust based on the advertised wallet scope while the skill performs additional remote account-registration and persistence actions with wallet-derived identity data. In a crypto-wallet context, hidden or inaccurate capabilities materially increase the risk of unauthorized identity binding, data disclosure, or misuse of credentials.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation claims security by avoiding plaintext keys, yet later provides an example that writes the private key directly into a JSON file. Even with file mode 0600, this is still plaintext secret storage on disk and exposes the key to local compromise, backups, accidental sync, malware, or operational mistakes. In a wallet skill, compromise of the private key means full loss of funds and identity impersonation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script adds third-party account registration and local audit persistence that go beyond core wallet creation/signing/transaction behavior. In an agent skill context, that scope expansion is security-relevant because it can cause the agent to interact with an external service and create durable local artifacts without the user necessarily expecting identity enrollment or telemetry-style logging.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The script mutates managed wallet files to store BaseMail-specific metadata, coupling wallet secret storage with unrelated account/profile data. That broadens the blast radius of wallet-file access, can confuse downstream tooling that assumes a wallet file only contains key material, and introduces hidden state changes during what appears to be a registration action.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script warns that managed wallets will be saved under ~/.openclaw/wallets/<name>.json, but the actual path is controlled by WALLET_DIR or defaults elsewhere in code. This discrepancy can cause users and automation to mis-handle highly sensitive key material, back up the wrong location, or leave wallet files unprotected because they are looking in the wrong directory.

Credential Access

High
Category
Privilege Escalation
Content
// Mode: --env (recommended)
  if (isEnv) {
    console.log('# ๐Ÿ” New Wallet Created');
    console.log('# Copy these lines to your shell or .env file:');
    console.log('');
    console.log(`export WALLET_ADDRESS="${wallet.address}"`);
    console.log(`export PRIVATE_KEY="${wallet.privateKey}"`);
Confidence
92% confidence
Finding
.env

Session Persistence

Medium
Category
Rogue Agent
Content
## Quick Start

### Create a New Wallet (Recommended)

```bash
# Output as environment variable format (safest)
Confidence
84% confidence
Finding
Create a New Wallet (Recommended) ```bash # Output as environment variable format (safest) node scripts/create-wallet.js --env # Output example: # export WALLET_ADDRESS="0x..." # export PRIVATE_KEY=

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal