ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Local Wallet Standard

v1.0.0

Lightweight Wallet Signer CLI — generate wallets, derive addresses, and sign messages across EVM, Solana, Bitcoin, Cosmos, and Tron chains.

0· 360·0 current·0 all-time
by@njdawn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with what the SKILL.md instructs: it builds a Rust CLI, requires git and cargo, and stores wallets under ~/.lws. Requiring git/cargo and optionally rustup is proportionate for a Rust CLI built from source.
!
Instruction Scope
The runtime instructions tell users/agents to install via curl | bash from a raw GitHub URL and to pass full BIP-39 mnemonics on the command line (e.g., lws derive --mnemonic <PHRASE> and lws sign --mnemonic <PHRASE>). Passing secrets on the CLI can leak to shell history and process listings. The SKILL.md does not describe encrypting the wallet vault or secure handling of mnemonics, so instructions do not constrain or protect sensitive data.
!
Install Mechanism
The installer is a curl -fsSL https://raw.githubusercontent.com/... | bash pipeline. GitHub raw content is a known host, but piping a remote install script to a shell executes remote code without an on-disk review and is higher risk. The installer may install rustup and build toolchains, which modify the system environment.
!
Credentials
The skill declares no required environment variables, which is fine, but it stores wallet descriptors under ~/.lws and expects users to supply raw mnemonics. There is no mention of vault encryption, passphrase protection, or secure storage. That absence is disproportionate for a tool that handles private keys and mnemonics.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or cross-skill configuration. The installer writes to the user's home directory (~/.lws) and modifies shell config to add to PATH, which is expected for a CLI but should be reviewed by the user before permitting.
What to consider before installing
This skill appears to implement a local wallet CLI and the build requirements (git/cargo) are reasonable, but you should not blindly run the curl|bash installer or supply real mnemonics until you verify the code. Actionable steps: (1) Inspect the GitHub repo and the install.sh script yourself (do not pipe to shell without review). (2) Prefer cloning and building from source locally (git clone && cargo build) rather than curl|bash. (3) Confirm how wallet JSON files are protected—look for encryption/passphrase support—and check file permissions on ~/.lws. (4) Avoid passing mnemonics on the command line; use interactive prompts or secure stdin if available. (5) If you must test, run in an isolated VM/container and use throwaway mnemonics (no real funds). (6) Consider using hardware wallets or well-audited software for real funds. If you want, I can (a) fetch and summarize the install.sh and repository files for manual review, or (b) list the lines in SKILL.md that expose secrets so you can adjust usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk975w3smxp143vpyg25tsfm5fd821tkh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux
Binsgit, cargo

Comments