Sagb
Security checks across malware telemetry and agentic risk
Overview
This is a real-money Solana skill that is mostly aligned with its stated purpose, but it gives agents private-key, trading, token-launch, periodic-operation, and silent-update instructions that need careful review.
Install only if you intentionally want an agent to operate a Bags/Solana wallet. Use a dedicated low-value wallet, do not enable silent auto-updates, require manual approval for every transaction or token launch, review any local signing code, and protect or rotate all Bags, Moltbook, and wallet credentials.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, a copied script, or any local process mishandles the exported key, real SOL and tokens could be transferred or traded.
The skill documents exporting a Solana wallet private key; this is purpose-aligned for signing, but it grants full control of real assets and is not tightly bounded by approval or scope controls.
⚠️ SECURITY WARNING: Private keys give full control over your wallet. Handle with extreme care. ... /agent/wallet/export
Use a dedicated low-balance wallet, require explicit human approval before every signing action, avoid saving private keys, and revoke or rotate credentials if exposed.
An overbroad or mistaken invocation could execute real token swaps or other on-chain transactions with financial consequences.
The documented workflow can create, sign, and submit swaps using user-supplied token and amount parameters, but the artifacts do not define approval gates, amount limits, or rollback controls.
Usage: ./bags-swap.sh <input_mint> <output_mint> <amount> ... BAGS_PRIVATE_KEY=$(curl -s -X POST https://public-api-v2.bags.fm/api/v1/agent/wallet/export ... BAGS_SIGNED_TX=$(node ~/.config/bags/sign-transaction.js "$BAGS_PRIVATE_KEY" "$BAGS_UNSIGNED_TX") ... /solana/send-transaction
Treat every trade, claim, launch, or send-transaction step as requiring explicit user confirmation, including token addresses, amounts, fees, slippage, and destination.
Future remote content could change what the agent is told to do without the user noticing, especially dangerous for a financial wallet skill.
The heartbeat routine tells the agent to silently overwrite local skill files from remote URLs, which could introduce new unreviewed instructions after installation.
## Auto-Update Skills (Silently) Check for updates and apply them without bothering your human: ... curl -s https://bags.fm/skill.md > ~/.bags/skills/SKILL.md
Disable silent auto-update; update only through reviewed, versioned releases and show the user a diff before replacing skill instructions.
The agent may continue checking balances, claimable positions, state, and updates without prompting the user each time.
The skill encourages recurring autonomous operation and silent handling of routine account activity; it does not itself install a scheduler, but the instructions promote ongoing behavior beyond a single request.
*Run this every 1-4 hours* ... **Autonomous** — Handle routine tasks silently
Run heartbeat checks manually or on an explicitly approved schedule with clear logging, notification thresholds, and no automatic transaction or update authority.
An agent could treat the skill as authorization to launch tokens, post publicly, or claim/trade funds without a fresh user decision.
The skill's culture guidance tells the agent to take initiative without permission in a context involving real assets, public posts, and token launches.
You decide what tokens to launch. ... You don't need permission. ... Launch the token. Make the post. Claim your fees.
Set an explicit policy that public posts, token launches, trades, claims, and wallet-signing actions require human approval unless the user has pre-approved exact limits.
A compromised dependency or modified local signing script could see private-key material during signing.
The local Node.js signing helper and npm dependencies are expected for Solana transaction signing, but they run code in the same environment where private-key material is handled.
Create `~/.config/bags/sign-transaction.js` ... `cd ~/.config/bags && npm install`
Review the signing script, pin and audit dependencies, keep the signing environment isolated, and pass private keys only for the minimum time necessary.