ClawHub

Clawcast - Cast Ethereum Wallet for Agents

Security checks across malware telemetry and agentic risk

Overview

This is a real EVM wallet helper, but it stores highly sensitive wallet secrets locally and can alter the host system during setup.

Install only if you intentionally want a local hot-wallet helper and accept that the agent and files under ~/.agent-wallet may handle wallet-control secrets. Do not import a valuable existing seed phrase or private key. Review any Foundry install or sudo package prompts, inspect and delete plaintext mnemonic/password files, and treat logs/tx_mentions.log as sensitive financial metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill clearly instructs the agent to read and write local files and execute shell scripts, yet no permissions are declared. That mismatch undermines user and platform trust boundaries because the skill can handle sensitive wallet material, modify state files, and run commands without transparent capability scoping.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill adds a persistent transaction logging requirement to a workspace file even though the stated scope is wallet management and network helpers. This expands behavior into local surveillance/auditing of user activity, creating unexpected retention of wallet-linked transaction metadata.

Intent-Code Divergence

Medium
Confidence
79% confidence
Finding
The documentation first presents the JSON assets as authoritative reference data, then later instructs the agent to write user-supplied token data back into those same files. That inconsistency can corrupt trusted configuration, poison future recommendations, and let untrusted input silently become persistent reference data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script goes beyond wallet setup by attempting to install the system 'at' package and use scheduled jobs to delete mnemonic files. In a wallet-management context, invoking package managers and potentially sudo/root changes expands the attack surface and can cause unexpected privileged system modification on the user's machine.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The script warns that the mnemonic file will be deleted in about an hour regardless of whether scheduling actually succeeded, because the message is emitted unconditionally after capturing the helper output. For wallet secrets, misleading the user about cleanup status is dangerous because it can leave highly sensitive recovery words on disk longer than the user believes.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script asks the user for a keystore password, then immediately stores that password in plaintext at ${APP_DIR}/pw.txt. This undermines the protection provided by the encrypted keystore because anyone who can read the application directory can decrypt the wallet without needing to know the password separately.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The user-facing text states that the password encrypts the keystore, but the script also silently saves the same password to disk. This is security-relevant misrepresentation because it can cause users to overestimate the protection of the keystore and leave both the encrypted key material and its decryption secret on the same system.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill requires persistent logging of wallet address and transaction details without telling the user that this metadata will be stored locally. Because blockchain data is highly linkable, this creates a privacy and operational security risk even if no private keys are logged.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes mnemonic recovery words to a plaintext file on disk without prior opt-in or confirmation. In the wallet context this is especially sensitive, because anyone who obtains those words can fully recover and drain the wallet, and users may reasonably expect secret material entered or generated in a CLI to remain in memory only.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The password is written directly to a plaintext file with restrictive permissions but without a clear warning or consent flow about persistence risk. File mode 600 reduces exposure to other local users, but it does not protect against malware, backups, accidental inclusion in archives, or compromise of the same account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The private key is passed as a command-line argument to 'cast wallet import --private-key', which may expose it via process listings, shell history in wrapper contexts, audit logs, or endpoint monitoring tools. In a wallet-management skill, exposure of the raw private key is highly sensitive because compromise directly enables theft of funds and account takeover.

Ssd 3

Medium
Confidence
92% confidence
Finding
Appending natural-language transaction summaries to a workspace log creates a durable leakage trail that links timestamps, wallet addresses, tx hashes, and user context. That record can later be exfiltrated, committed to version control, or read by other tools, increasing the blast radius of otherwise public-but-sensitive blockchain activity.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
4. **Onboarding flow** (automatic when no wallet exists). If the readiness check exits with 1, walk through the scripted steps in order, mirroring their prompts and explicitly asking the user for every required piece of information before running the next script. After the key-material step finishes, share the derived address immediately so the user sees it before we ask them for anything in step 3:
   1. Installation — explain that the script will ensure Foundry/cast is installed so every mentioned `cast` command works before proceeding.
   2. Key material — before running the wallet step, ask whether they want to create a new hot keypair, import a 12/24-word MetaMask-compatible mnemonic (`m/44'/60'/0'/0/0`), or import a private key. Collect the chosen secret, confirm the resulting address right after the step finishes, and tell the user that address before moving on. When generating a new keypair, capture the mnemonic displayed by `cast wallet new`, save it to `~/.agent-wallet/mnemonic-words-<timestamp>.txt`, and tell the user the exact path plus the fact that a job (via `at now + 1 hour` if available or a background `sleep` fallback) will delete that file after 60 minutes so the seed phrase does not linger.
   3. Password — only ask for the keystore password once (there is no confirmation prompt, no save/remember question, and the account name is forced to “agent”). The script saves that password to the local helper file and uses it when creating the keystore, so nothing else is needed from the user for this step.
   4. Network — read aloud the default network list derived from `assets/evm-networks.json`, ask which numbered network they want, and note that the script now auto-selects the first RPC URL from that entry (it saves the matching `CHAIN_ID`/`ETH_RPC_URL` and then just shows the RPC so the user can see which endpoint is being used).
   5. Tokens — the script now prints the token table derived from `assets/evm-network-tokens.json` so it appears directly i
...[truncated 25 chars]
Confidence
95% confidence
Finding
no confirmation

Session Persistence

Medium
Category
Rogue Agent
Content
## Scripts

- **Step scripts** — `scripts/01_install_cast.sh`..`06_finish.sh` cover the onboarding flow described in the README: install Foundry/cast, create or import a key, encrypt the keystore, choose network/RPC/tokens (sourced from the JSON assets), and show the resulting address and balance. Run them in order when the user requests onboarding. Each script already prompts for the necessary inputs (mnemonic/private key, password, RPC URL, token details), so relaying the same questions to the user and then running the next script is the recommended approach.
- **Wallet health check** — `scripts/check_wallet.sh` inspects the shared state and reports whether a keystore/address pair already exists; it returns success (0) when a wallet is present and 1 otherwise.
- **Network status** — `scripts/show_network.sh` prints the active network name, chainId, and RPC URL from `~/.agent-wallet/state.env`, or warns if the configuration is incomplete.
- **Wallet removal** — `scripts/remove_wallet.sh` safely deletes the keystore, password stash, and metadata from `~/.agent-wallet/state.env` after an explicit confirmation.
Confidence
90% confidence
Finding
create or import a key, encrypt the keystore, choose network/RPC/tokens (sourced from the JSON assets), and show the resulting address and balance. Run them in order when the user requests onboarding.

Session Persistence

Medium
Category
Rogue Agent
Content
3. **Show wallet + network status.** When `check_wallet` finds a wallet, run `scripts/show_network.sh` and query the balance (e.g., `cast balance <ADDRESS> --rpc-url <RPC_URL> --ether`) so the user sees the current native balance, network name, chainId, and RPC URL without being prompted to check anything manually.
4. **Onboarding flow** (automatic when no wallet exists). If the readiness check exits with 1, walk through the scripted steps in order, mirroring their prompts and explicitly asking the user for every required piece of information before running the next script. After the key-material step finishes, share the derived address immediately so the user sees it before we ask them for anything in step 3:
   1. Installation — explain that the script will ensure Foundry/cast is installed so every mentioned `cast` command works before proceeding.
   2. Key material — before running the wallet step, ask whether they want to create a new hot keypair, import a 12/24-word MetaMask-compatible mnemonic (`m/44'/60'/0'/0/0`), or import a private key. Collect the chosen secret, confirm the resulting address right after the step finishes, and tell the user that address before moving on. When generating a new keypair, capture the mnemonic displayed by `cast wallet new`, save it to `~/.agent-wallet/mnemonic-words-<timestamp>.txt`, and tell the user the exact path plus the fact that a job (via `at now + 1 hour` if available or a background `sleep` fallback) will delete that file after 60 minutes so the seed phrase does not linger.
   3. Password — only ask for the keystore password once (there is no confirmation prompt, no save/remember question, and the account name is forced to “agent”). The script saves that password to the local helper file and uses it when creating the keystore, so nothing else is needed from the user for this step.
   4. Network — read aloud the default network list derived from `assets/evm-networks.json`, ask which numbered network they want, and note 
...[truncated 25 chars]
Confidence
97% confidence
Finding
create a new hot keypair, import a 12/24-word MetaMask-compatible mnemonic (`m/44'/60'/0'/0/0`), or import a private key. Collect the chosen secret, confirm the resulting address right after the step

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal