ClawHub

Tether Wallet Development Kit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate wallet-development skill, but it needs review because some examples under-scope secret handling for real-money wallet flows.

Install only if you are intentionally building Tether WDK wallet or payment integrations. Use test wallets first, keep seed phrases and MoonPay secret keys in protected backend or secret-manager storage, avoid the browser no-op sodium shim for real signing keys, and require explicit user confirmation and fee/amount review before any transaction or paid x402 request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The browser compatibility section recommends aliasing `sodium-universal` to a shim where `sodium_memzero()` is a no-op, which defeats the documented key-erasure behavior of `dispose()`. In a wallet SDK handling seed phrases and private keys, this can leave sensitive material resident in memory longer than intended, increasing exposure to memory disclosure bugs, crash dumps, debugging tools, or malicious scripts in the host environment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation shows a `secretKey` embedded directly in application code and does not warn that this credential must be handled as a sensitive server-side secret. In a wallet/fiat integration context, readers may copy this pattern into client-side apps, browser bundles, repos, logs, or examples, which can expose the MoonPay signing secret and allow unauthorized generation of signed widget URLs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal