ClawHub

ClawCast Crypto Wallet: Keys, Balances & Transactions

Security checks across malware telemetry and agentic risk

Overview

This is a real crypto wallet helper, but it stores wallet secrets and the keystore password locally and can make system/tooling changes that deserve careful review before installation.

Install only if you intend to use the agent as a hot-wallet manager. Use a fresh low-balance wallet, do not import a valuable existing seed phrase or private key, review any sudo or installer prompts before approving them, and manually confirm every transaction before broadcast. After setup, inspect and protect ~/.agent-wallet, especially pw.txt and keystore.json, and use the removal script when you are done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to append transaction details to a separate workspace log file unrelated to the wallet tool itself. This creates an additional persistence channel for sensitive financial metadata, increasing exposure to later leakage, unintended sharing, or cross-task data access.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The skill says custom token entries are written directly into bundled JSON asset data, turning reference metadata into mutable state. That can poison future runs, contaminate shared resources, and cause incorrect contract recommendations or explorer links for later users or sessions.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The wallet setup script performs system-level package installation and job scheduling unrelated to the minimum required wallet workflow. In a security-sensitive crypto context, automatically invoking package managers and persistent OS facilities expands the attack surface, can modify the host unexpectedly, and may trigger privileged operations without clear user consent.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The script explicitly writes the keystore password to a persistent plaintext file (pw.txt), which defeats much of the protection provided by encrypting the keystore. Any local user, backup system, malware, CI artifact collector, or later process with access to the app directory can recover the password and decrypt the wallet, leading to theft of crypto assets.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The user-facing flow says the step is about setting a password to encrypt the keystore, but the script also silently saves that password to disk. This is a security-relevant mismatch because users may assume only the encrypted keystore exists, while in reality the secret needed to unlock it is also stored locally, undermining informed consent and safe handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill persists wallet addresses, transaction hashes, and descriptive context without informing the user that this data will be stored in the workspace. In a crypto context, even public-chain identifiers become sensitive when tied to user intent and session activity.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script sources the state file as shell code, so any attacker-controlled content written to that file will execute in the current shell context. In a wallet-oriented skill, this is especially dangerous because the process may later handle private keys, RPC endpoints, and transaction workflows, making local code execution materially impactful.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script downloads code from a remote URL and immediately executes it with `bash`, without verifying integrity, pinning a version, or requiring an explicit user confirmation about executing downloaded code. If the remote host, network path, or served installer is compromised, arbitrary code will run in the user's environment with the script's privileges.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script silently attempts to install the 'at' package via apt/sudo when it is missing, without an upfront confirmation step. This is dangerous because a wallet-management script handling secrets should not make privileged system changes implicitly; doing so can surprise users, break least-privilege expectations, and increase the chance of abuse if the script or environment is compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The password is written directly to a plaintext file with no explicit warning that it will persist on disk. In a wallet-management skill, this is especially dangerous because the saved password can be combined with the keystore file to fully compromise the wallet and authorize transactions.

Ssd 3

Medium
Confidence
93% confidence
Finding
Natural-language transaction summaries can capture more sensitive context than raw blockchain data alone, such as why funds moved or what the user was trying to do. Persisting that context in a workspace log creates a durable privacy and data-leak risk that is disproportionate to the stated wallet assistance purpose.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal