Bank Skills
Security checks across malware telemetry and agentic risk
Overview
This skill is purpose-aligned but needs review because it can move real bank and crypto funds, and its wallet-key handling has weak defaults and no clear transaction approval limits.
Only install this if you intentionally want an agent to access Wise and possibly crypto funds. Use a least-privilege Wise token, set WISE_PROFILE_ID, set a strong CLAWBANK_WALLET_PASSWORD, fund wallets with small amounts only, require manual approval for every transfer or swap, and monitor/revoke credentials if anything looks wrong.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is mistaken or influenced by bad instructions, it could initiate a real bank transfer using the user's Wise token.
The send-money flow creates and funds a Wise transfer in one action; the reviewed artifacts do not show a separate confirmation gate, amount cap, recipient allowlist, or dry-run before funds move.
Steps:
1. Create quote
...
4. Create transfer
5. Fund transfer
...
_fund_transfer(client, pid, transfer["id"])Require explicit human confirmation for every transfer, show recipient/amount/fees before funding, add spending limits and recipient allowlists, and consider disabling autonomous model invocation for money-moving actions.
Transfers or balance checks could apply to the wrong Wise profile if the token has access to more than one profile.
When WISE_PROFILE_ID is not set, the skill automatically uses the first Wise profile available to the API token, which may not be the intended account/profile for transfers.
If *profile_id* is provided, return it directly. Otherwise, fetch profiles from the API and return the first one. ... return str(profiles[0]["id"])
Set WISE_PROFILE_ID explicitly, use least-privilege Wise tokens, and require the selected profile to be displayed and confirmed before any transfer.
If the wallet holds funds, anyone or any process with access to the keystore may be able to decrypt it when the default password is used; exporting the key also risks exposing full wallet control in agent outputs or logs.
The local wallet keystore is encrypted with a public default password unless the user overrides it, and the code includes a function that returns the private key.
DEFAULT_PASSWORD = "clawbank-default"
...
password = os.environ.get(WALLET_PASSWORD_ENV, DEFAULT_PASSWORD)
...
return {
"private_key": pk_hex,
"address": address,Require a user-supplied strong wallet password with no default, store keys in an OS keychain or hardware wallet where possible, and keep private-key export behind explicit manual confirmation or remove it from agent-accessible tools.
If this advertised swap path is used, a user could receive far fewer tokens than expected or lose value due to price movement, MEV, or a bad route.
The included swap path can sign and broadcast an on-chain transaction while accepting zero minimum output, which removes slippage protection.
amount_out_min=0, # TODO: Use Quoter for slippage protection ... tx_hash_bytes = w3.eth.send_raw_transaction(signed.raw_transaction)
Calculate and enforce a minimum received amount, show the quote and slippage to the user, and require confirmation before signing and broadcasting swaps.
Future dependency versions could change behavior in a finance-related skill, even if the current source appears coherent.
Dependencies are declared as open version ranges rather than pinned versions with a lockfile in the provided artifacts.
dependencies = [
"fastmcp>=0.9.0",
"httpx>=0.25.0",
"pydantic>=2.0.0",
"web3>=6.0.0",
"eth-account>=0.11.0",Pin and lock dependency versions, publish checksums or a lockfile, and review dependency updates before using the skill for real funds.