ClawHub

Agentic Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a coherent crypto wallet management skill, but it handles wallet secrets and payment authority that users must protect carefully.

Install only if you trust the agentic-wallet npm package and the wallet providers involved. Do not paste seed phrases, private keys, API keys, or wallet passwords into chat or logs; avoid shell echo for real secrets where possible, use restrictive file permissions or a secret manager, keep only limited funds in agent wallets, and review any payment or transaction before authorizing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents creation, backup, and recovery of cryptocurrency wallets, including seed-phrase recovery and backup handling, but does not prominently warn that mistakes can cause irreversible loss of funds or permanent compromise of wallet material. In the context of an autonomous-agent wallet skill, users may follow these instructions mechanically, so omission of asset-loss and secret-exposure warnings materially increases operational risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The non-interactive examples instruct users to write wallet passwords and Crossmint API keys into plaintext files using shell echo, but do not warn about shell history, accidental disclosure, backup leakage, or insecure filesystem handling. Because these secrets can control wallet access or signing authority, compromise of the files can directly enable theft or misuse of crypto assets.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal