Cast
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a recovery phrase or private key is exposed in agent context, anyone with access to that context could take control of the wallet.
The agent is instructed to collect seed phrases or private keys itself. Those secrets can enter chat context, logs, or other agent memory instead of staying only in a local hidden prompt.
ask whether they want to ... import a 12/24-word MetaMask-compatible mnemonic ... or import a private key. Collect the chosen secret
Do not paste existing wallet seed phrases or private keys into the agent chat. The skill should require local hidden terminal input, hardware-wallet flows, or a newly generated low-value wallet instead.
A local process, user, or agent that can read ~/.agent-wallet may be able to authorize wallet transactions.
The keystore password is saved as a plaintext file under the wallet state directory. That password can unlock the keystore for signing transactions.
PASSWORD_FILE="${APP_DIR}/pw.txt" ... printf "%s" "$PW" > "${PASSWORD_FILE}" ... ok "Password saved to ${PASSWORD_FILE}"Do not save the keystore password in plaintext by default. Prefer per-transaction password prompts, an OS keychain, a hardware wallet, or another scoped signing mechanism.
If these files are read before cleanup, the wallet can be compromised.
The script writes generated recovery words and a temporary private key to disk. It sets restrictive permissions and attempts cleanup, but interruption or cleanup failure can leave fund-controlling secrets on the filesystem.
printf "%s\n" "$MNEMONIC" > "${MNEMONIC_FILE}" ... printf "%s" "${PRIVATE_KEY}" > "${PK_TMP}"Avoid writing mnemonics or private keys to disk, or require explicit user opt-in and immediate verified cleanup before any funded wallet is used.
The skill can modify the host system package set as part of wallet setup, which is broader authority than ordinary wallet onboarding.
During wallet creation, the script may install a system package with sudo to schedule mnemonic cleanup, without a separate explicit approval step in the script.
installer="apt-get install -y at" ... sudo sh -c "$installer > /tmp/at-install.log 2>&1"
Ask the user before any privileged package installation, or use a non-privileged cleanup method when 'at' is not already installed.
You must trust the remote Foundry installer and whatever version it installs at runtime.
Installing Foundry/cast is purpose-aligned, but this executes a remote installer and updater without a pinned version or checksum in the artifact.
curl -L https://foundry.paradigm.xyz | bash ... foundryup
Install Foundry manually from the official source, verify checksums or signatures where possible, and pin versions for repeatable setup.
A user may not realize exactly what is being installed or where sensitive wallet material is being stored unless they ask.
The simplified communication style is understandable, but in a wallet skill it can reduce visibility into scripts that handle secrets, install tools, and persist files.
don’t overwhelm them with filenames or the internals of the scripts unless specifically asked
Before collecting secrets or installing tools, clearly disclose the storage paths, cleanup behavior, and any privileged commands.