Wallet Balance Checker

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a read-only balance-checking instruction skill, but it relies on sensitive financial API credentials and only shows Coinbase checking despite claiming several providers.

Before installing, confirm you are comfortable giving the agent read-only access to financial account balances, use least-privilege API keys, and verify that the skill actually covers every platform you expect.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

Medium

What this means

A user may need to provide access to financial account data, even though the skill says it will not move funds.

Why it was flagged

The skill asks for financial account API credentials. That is expected for a balance checker, and the text says read-only, but these credentials can expose sensitive account and balance information if over-scoped or mishandled.

Skill content

credentials:\n      - id: "coinbase-api-key" ... env: "COINBASE_API_KEY"\n      - id: "coinbase-api-secret" ... env: "COINBASE_API_SECRET"\n      - id: "kalshi-api-key" ... env: "KALSHI_API_KEY"

Recommendation

Use only read-only, least-privilege API keys; do not provide keys that can trade, withdraw, or change account settings.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The skill may fail or require an undeclared local tool when checking Coinbase balances.

Why it was flagged

The declared binary requirements list curl and jq, but the Coinbase command also depends on openssl for request signing.

Skill content

requires:\n      bins: ["curl", "jq"] ... CB_SIGNATURE=$(echo -n "$CB_MESSAGE" | openssl dgst -sha256 -hmac "$COINBASE_API_SECRET" | cut -d' ' -f2)

Recommendation

Declare openssl as a required binary or document an alternative signing method.

#ASI09: Human-Agent Trust Exploitation

Low

What this means

A user could assume the reported capital view is complete when the provided instructions only support part of the stated coverage.

Why it was flagged

The skill claims a unified multi-platform balance view, but the provided artifact only contains a Coinbase operation and no visible Polymarket, Kalshi, or sportsbook balance instructions.

Skill content

Check balances across Coinbase, Polymarket, Kalshi, and sportsbook accounts. Unified capital view. Read-only. ... ### 1. Check Coinbase Balance

Recommendation

Verify that additional provider instructions exist before relying on this for a full capital view.