Bank Skills
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent with its banking and token purpose, but it gives an agent real-money transfer and wallet-key authority without enough built-in safeguards.
Install only if you intentionally want an agent to help with real banking and on-chain funds. Before using it, set an explicit WISE_PROFILE_ID, restrict and monitor the Wise API token, enable Wise IP whitelisting if possible, never use the default wallet password, keep minimal funds in the generated wallet, and require manual review for every transfer, swap, token send, or private-key export.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with the Wise API token could initiate a real bank transfer if it is invoked with recipient and amount details.
The send-money flow creates and funds a Wise transfer directly; the visible artifacts do not add a separate confirmation, quote review gate, recipient allowlist, or amount limit before funding.
# Step 4: Create transfer transfer = _create_transfer(client, quote["id"], recipient["id"]) # Step 5: Fund transfer _fund_transfer(client, pid, transfer["id"])
Require explicit user confirmation after showing the quote and recipient, add amount and recipient allowlists, and use Wise token scopes/IP restrictions where possible.
The skill may operate on a Wise profile the user did not intend, especially if the API token has access to multiple personal or business profiles.
If WISE_PROFILE_ID is not set, the skill automatically chooses the first Wise profile for balance/account-details/transfer operations, which is an implicit permission boundary for a financial account.
Otherwise, fetch profiles from the API and return the first one. ... return str(profiles[0]["id"])
Require WISE_PROFILE_ID for money movement, display the selected profile before use, and use the least-privileged Wise token available.
If the wallet file is copied or read by another process, funds in that wallet may be at risk when the default password is used.
A newly created wallet private key is encrypted with a public default password unless the user sets CLAWBANK_WALLET_PASSWORD.
DEFAULT_PASSWORD = "clawbank-default" ... password = os.environ.get(WALLET_PASSWORD_ENV, DEFAULT_PASSWORD) keystore = Account.encrypt(private_key, password)
Refuse to create wallets with the default password, require a strong user-supplied password, and document how to protect and back up the keystore.
If exposed to an agent workflow, the private key could be displayed, logged, or mishandled, compromising the wallet.
The documented tool surface includes exporting the wallet private key, which is a raw credential granting full control of on-chain funds.
- `export_private_key` — Export private key for wallet recovery/import
Remove private-key export from default agent-accessible tools, or require a separate manual recovery mode with strong confirmation and no logging.
A swap could execute at a very unfavorable rate or be vulnerable to price movement/MEV, causing avoidable loss of funds.
The V4 swap path can submit an on-chain swap with no minimum output amount, explicitly noting that slippage protection is still TODO.
amount_out_min=0, # TODO: Use Quoter for slippage protection
Use a quoter and enforce a user-approved minimum output/slippage limit before signing any swap transaction.
Future dependency versions could change behavior or introduce vulnerabilities in a skill that handles money and keys.
The Python dependencies are lower-bound-only rather than pinned; this is common for Python projects but noteworthy for a financial skill.
"httpx>=0.25.0", "web3>=6.0.0", "eth-account>=0.11.0"
Install from a reviewed commit, use a lockfile or pinned dependency versions, and keep dependencies patched.