SUPAH Wallet X-Ray
PendingVirusTotal audit pending.
Overview
No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted wallet or chain value could potentially make the skill run local Node.js code under the agent user's account.
The script accepts address/ENS and chain arguments, then interpolates those user-controlled values into executable JavaScript without escaping. A crafted value containing quote characters could break out of the string if execution reaches the display parser.
node -e "... const addr = '${ADDRESS}'; const ensName = '${ENS_NAME}'; ... console.log('Chain: ' + '${CHAIN}' ...);"Validate wallet addresses and chain names against strict allowlists, and pass values to Node via process arguments or environment variables with JSON encoding instead of interpolating them into node -e code.
Using the skill may incur automatic per-scan charges, especially if the agent scans multiple addresses.
The skill is explicitly designed to spend small amounts of USDC from the agent wallet when scans are performed.
$0.05 USDC per scan — paid via x402 micropayment on Base. Your agent pays automatically per call.
Use an agent wallet with limited funds, monitor x402 payments, and consider requiring confirmation or spend limits before scans.
ENS names entered for scanning are also sent to api.ensideas.com, not only to SUPAH.
The runtime script calls an additional ENS resolution provider beyond the primary api.supah.ai endpoint listed in the skill metadata, so the network dependency is not fully captured by the main capability metadata.
curl -sf "https://api.ensideas.com/ens/resolve/$INPUT"
List all outbound providers in the metadata and documentation so users can review the full data flow before installing.