ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Elytro: security-first ERC-4337 smart account wallet CLI for AI agents. Built-in 2FA, configurable spending limits.

v0.2.3

Entry point for the Elytro wallet skill plus the curated DeFi sub-skills. Start here before loading any individual protocol skill.

0· 350·0 current·0 all-time
byjoi@walkjoi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The package is presented as an Elytro wallet + DeFi skill pack and most required actions (installing an Elytro CLI and orchestrating calldata/UserOps) are coherent with that purpose. However, the repo and top-level metadata declare no install spec while elytro/SKILL.md includes an install via npm in its metadata — an internal mismatch. Also, some instructions ask for environment variables (ELYTRO_ENV, Pimlico key, RPC overrides) and behaviors (auto-updating the SKILL.md) that are not justified simply by 'wallet + planner' functionality.
!
Instruction Scope
The elytro skill mandates two auto-update actions every run: (1) check + apply CLI updates, and (2) fetch and overwrite the local SKILL.md from https://raw.githubusercontent.com/... and re-read it. Automatically overwriting the skill text at runtime expands the agent's trusted update surface and effectively allows remote modification of its runtime instructions. The skills also reference exporting env vars and other files (planner outputs, roster CSVs) that are not declared in the pack metadata. The instruction 'determine the absolute path of this SKILL.md file at runtime, then download and overwrite it' is particularly broad and risky.
Install Mechanism
There is no top-level install spec, but the elytro/SKILL.md metadata lists an npm install of @elytro/cli (Node >=24), which is an expected install method for a CLI. Downloading the SKILL.md from raw.githubusercontent.com is from a well-known host (lower risk than arbitrary hosting) but the practice of repeatedly overwriting local skill files from that remote URL is a high-risk install/update pattern because it changes agent instructions on-disk at runtime.
!
Credentials
The registry metadata declares no required environment variables, yet multiple SKILL.md files instruct the agent to export/use ELYTRO_ENV, Pimlico keys, RPC overrides, and to manage delegation/payments. Payroll and execution flows rely on access to on-chain accounts and possibly stored keys (via the CLI). These environment and credential mentions are not declared as required, creating a mismatch and lack of clarity about what secrets or config the skill expects.
!
Persistence & Privilege
The skill does not set always:true, but it instructs agents to auto-update the installed CLI and to overwrite its own SKILL.md from the network on every run. That gives the skill effective persistent modification capability over its runtime instructions and the agent's local skill files — a high-privilege behavior that should require explicit human approval or stronger verification (signing, pinned commit/hash).
What to consider before installing
This skill appears to be a legitimate wallet + DeFi orchestration pack, but it includes risky behaviors you should consider before installing: - Do not allow automatic in-place updates of skill files: the SKILL.md explicitly instructs the agent to curl a remote SKILL.md and overwrite the local file. That lets remote content change the agent's instructions without a human review. If you install, disable or audit that auto-update step and prefer pinned commit hashes or signed releases. - Verify the Elytro CLI package before installing (review the npm package @elytro/cli source, maintainers, and published tarball). Don't blindly run global npm installs on production agents. - Treat env/credentials as sensitive: the docs mention ELYTRO_ENV, Pimlico keys, RPC overrides and payment/delegation flows but the pack doesn't declare required env vars. Only provide the minimal secrets needed, and avoid storing payroll rosters or private keys in public or world-readable locations. - Turn off or require explicit confirmation for the CLI 'update apply' step; allow only manual updates after review. - For any flows that submit transactions or OTPs: ensure the agent always requests explicit human approval (and the skill claims to require this, but you should enforce it in agent config). Never expose OTP codes or private keys to automated agents. If you need to proceed: review the repo on GitHub (or the npm package source), pin to a specific commit/tag, and remove/replace the automatic SKILL.md-overwrite instruction with a human-moderated update process. If you cannot audit the package and you operate valuable funds, treat this skill as high risk and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk9764shhes87vp61wpjwz7ab8n83nkcb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments