Cast
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 11 This skill is classified as suspicious due to several high-risk operations, despite their apparent alignment with the stated purpose of managing EVM wallets. Key indicators include the use of `curl -L https://foundry.paradigm.xyz | bash` for installing Foundry in `scripts/01_install_cast.sh`, which is a common but inherently risky method for executing remote code. Additionally, `scripts/02_wallet.sh` attempts to install the `at` command using `sudo apt-get install -y at`, which involves system-level modification and potential privilege escalation. Most critically, the skill temporarily stores sensitive wallet information, such as mnemonic phrases, private keys, and keystore passwords, in plaintext files within `~/.agent-wallet/` on the local filesystem during the onboarding process (e.g., `mnemonic-words-*.txt`, `privatekey.tmp`, `pw.txt` in `scripts/02_wallet.sh` and `scripts/03_password.sh`). While these files are set with restrictive permissions (`chmod 600`) and the skill includes robust cleanup mechanisms (e.g., scheduled deletion via `at` and `remove_wallet.sh`), the temporary exposure of unencrypted secrets on disk constitutes a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a recovery phrase or private key is exposed in agent context, anyone with access to that context could take control of the wallet.
The agent is instructed to collect seed phrases or private keys itself. Those secrets can enter chat context, logs, or other agent memory instead of staying only in a local hidden prompt.
ask whether they want to ... import a 12/24-word MetaMask-compatible mnemonic ... or import a private key. Collect the chosen secret
Do not paste existing wallet seed phrases or private keys into the agent chat. The skill should require local hidden terminal input, hardware-wallet flows, or a newly generated low-value wallet instead.
A local process, user, or agent that can read ~/.agent-wallet may be able to authorize wallet transactions.
The keystore password is saved as a plaintext file under the wallet state directory. That password can unlock the keystore for signing transactions.
PASSWORD_FILE="${APP_DIR}/pw.txt" ... printf "%s" "$PW" > "${PASSWORD_FILE}" ... ok "Password saved to ${PASSWORD_FILE}"Do not save the keystore password in plaintext by default. Prefer per-transaction password prompts, an OS keychain, a hardware wallet, or another scoped signing mechanism.
If these files are read before cleanup, the wallet can be compromised.
The script writes generated recovery words and a temporary private key to disk. It sets restrictive permissions and attempts cleanup, but interruption or cleanup failure can leave fund-controlling secrets on the filesystem.
printf "%s\n" "$MNEMONIC" > "${MNEMONIC_FILE}" ... printf "%s" "${PRIVATE_KEY}" > "${PK_TMP}"Avoid writing mnemonics or private keys to disk, or require explicit user opt-in and immediate verified cleanup before any funded wallet is used.
The skill can modify the host system package set as part of wallet setup, which is broader authority than ordinary wallet onboarding.
During wallet creation, the script may install a system package with sudo to schedule mnemonic cleanup, without a separate explicit approval step in the script.
installer="apt-get install -y at" ... sudo sh -c "$installer > /tmp/at-install.log 2>&1"
Ask the user before any privileged package installation, or use a non-privileged cleanup method when 'at' is not already installed.
You must trust the remote Foundry installer and whatever version it installs at runtime.
Installing Foundry/cast is purpose-aligned, but this executes a remote installer and updater without a pinned version or checksum in the artifact.
curl -L https://foundry.paradigm.xyz | bash ... foundryup
Install Foundry manually from the official source, verify checksums or signatures where possible, and pin versions for repeatable setup.
A user may not realize exactly what is being installed or where sensitive wallet material is being stored unless they ask.
The simplified communication style is understandable, but in a wallet skill it can reduce visibility into scripts that handle secrets, install tools, and persist files.
don’t overwhelm them with filenames or the internals of the scripts unless specifically asked
Before collecting secrets or installing tools, clearly disclose the storage paths, cleanup behavior, and any privileged commands.