Back to skill

Security audit

Bank Skills

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed banking and crypto skill, but it can move real funds and expose wallet secrets without enough built-in safeguards.

Review carefully before installing. Use only with low-balance test accounts, set a strong CLAWBANK_WALLET_PASSWORD, restrict and rotate the Wise API token, enable Wise token/IP controls where available, and do not allow an autonomous agent to call send, send-token, buy-token, or export-private-key without an external human approval step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill exposes capabilities involving environment access, filesystem persistence, networking, and shell execution, but does not declare permissions or prominently scope those powers. In a financial skill, undeclared capabilities reduce transparency and make it harder for a platform or user to apply least-privilege controls, increasing the risk of secret access, fund movement, and local data persistence without informed consent.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation claims private keys are never exposed, yet the documented API includes an export-private-key action that returns the private key. This contradiction is dangerous because it can mislead operators into trusting the skill's handling of secrets while it explicitly enables full wallet compromise.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This module exposes a generic asset-exfiltration primitive via send_token(), allowing arbitrary ETH and ERC-20 transfers from the skill wallet to any validated address. That capability materially exceeds the stated skill scope of banking plus token swaps and is especially dangerous in an agent context, where a compromised prompt flow or unsafe tool invocation could irreversibly drain funds.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The module presents itself as a ClawBank-specific buyback component, but actually supports arbitrary token purchases and generic ETH/ERC-20 transfers. This scope mismatch can mislead reviewers, users, and policy layers into granting trust or permissions that are broader than intended, increasing the chance that dangerous money-moving functionality is overlooked.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
This is a real security issue because the module explicitly exposes the decrypted private key in a normal return value, despite nearby guidance that such material should never be exposed to tool responses. Any caller, log sink, UI layer, or downstream agent that invokes this function gains full custody of the wallet and can irreversibly transfer on-chain assets.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Private-key export is not necessary for ordinary banking or token-swap operations and materially expands the attack surface. In an agent skill context, exposing a raw key is especially dangerous because other tools, prompts, logs, or integrations may access the response and immediately compromise the wallet.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest says the skill provides only Wise-based banking functions, while the metadata and dependencies clearly indicate blockchain capabilities via web3 and eth-account. This mismatch can mislead reviewers, operators, or users into granting trust or permissions without realizing the skill may also perform on-chain asset operations, which materially changes the risk profile.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes high-risk financial actions such as sending money, transferring tokens, and swapping assets, but it does not consistently require explicit human confirmation or emphasize irreversibility. In an agent-execution context, examples and docs often shape default behavior, so insufficient warnings can normalize unsafe autonomous execution of real-value transactions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Documenting private-key export as a normal available tool with only a light warning materially increases the risk of credential exfiltration, because anyone obtaining the key gains full control of on-chain funds. In an agent or MCP setting, exposing this as a routine operation can encourage unsafe prompting or accidental disclosure into chat logs, tool traces, or downstream systems.

Missing User Warnings

High
Confidence
98% confidence
Finding
Exposing a private-key export operation without clear, forceful warnings normalizes disclosure of the single secret that controls the wallet. Any agent, log sink, prompt transcript, or downstream tool that sees the exported key can irreversibly drain all assets from that wallet.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented send-money and send-token actions directly move financial assets, and those transfers may be irreversible or difficult to recover. Without explicit warnings and confirmation requirements, an agent may execute high-impact fund transfers from ambiguous, malicious, or accidental prompts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The handler directly exposes a `send` action that can initiate a money transfer as soon as required fields are present, with no confirmation gate, step-up authentication, allowlisting, or explicit user-approval check in this entry point. In a banking skill, this is especially dangerous because any upstream prompt injection, unintended automation, or misuse of the CLI/API surface could trigger irreversible fund movement.

Missing User Warnings

High
Confidence
94% confidence
Finding
buy_token() executes a live on-chain swap immediately once called, using the configured target token and signing with the loaded private key, without any built-in user confirmation or execution gate. In an autonomous or semi-autonomous agent, that makes prompt injection, accidental invocation, or parameter manipulation capable of causing irreversible fund loss through real trades.

Missing User Warnings

High
Confidence
98% confidence
Finding
send_token() can immediately sign and broadcast arbitrary ETH or ERC-20 transfers to any destination address that passes format validation, with no user-facing warning, confirmation, or destination restrictions. Because transfers are irreversible and directly use the skill wallet's private key, any misuse or compromised agent decision path can result in full wallet drain.

Missing User Warnings

High
Confidence
98% confidence
Finding
Returning a highly sensitive credential without an explicit confirmation step or prominent disclosure at execution time creates a straightforward path to accidental or unauthorized exfiltration. Because this skill manages financial assets, a single invocation can lead to immediate and total wallet compromise.

Ssd 3

High
Confidence
93% confidence
Finding
The skill is designed to reveal highly sensitive financial data, including account receive details and elsewhere a wallet private key, directly to the calling agent. In an agent environment, plain output may be logged, summarized, forwarded to other tools, or exposed through prompt injection chains, turning normal operation into data exfiltration.

Ssd 3

Critical
Confidence
100% confidence
Finding
Documenting private-key export as a routine operation is a critical vulnerability because possession of the key provides complete, irreversible control over the wallet and all present or future funds. In an agent context, the key can be leaked through model output, logs, memory, tool traces, or malicious prompt content, resulting in immediate asset theft.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.