Back to skill

Security audit

Cast

Security checks across malware telemetry and agentic risk

Overview

This wallet helper matches its stated purpose, but it stores powerful wallet secrets and makes system changes in ways users should review carefully before installing.

Install only if you intend to use a local hot-wallet helper and accept the risk of local secret storage. Do not import valuable seed phrases or high-value wallets; prefer a hardware wallet or manual Foundry workflow for significant funds, and review or remove the plaintext files and transaction logs after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill directs the agent to read and write local files and execute shell commands, yet it declares no permissions or capability boundaries. In a wallet-management context, undeclared shell/file access is risky because it enables sensitive operations like installing software, handling secrets, and deleting wallet artifacts without transparent review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior expands far beyond a simple wallet helper: it installs software from the internet, stores passwords and seed phrases on disk, mutates packaged asset files, may install system utilities, and deletes local wallet state. This mismatch is dangerous because users and reviewers may underestimate the operational and secret-handling risk of the skill, especially in a cryptocurrency context where compromise can directly lead to asset loss.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill instructs the agent to append transaction mentions to a workspace log, creating a secondary store of wallet addresses, hashes, and activity history unrelated to the core cast command execution. This broadens the data exposure surface and can leak sensitive financial metadata to other tools, users, or future sessions that can read the workspace.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The documentation describes the network/token JSON assets as authoritative reference data, but later says token additions are written directly back into those packaged JSON files. Treating reference assets as mutable operational state is risky because it can corrupt trusted configuration, introduce malicious token entries, and blur the boundary between shipped data and user-specific changes.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The wallet script goes beyond cast-based wallet handling and attempts to install the OS package 'at' and schedule a system job to delete mnemonic files later. Modifying system packages and creating deferred jobs increases attack surface, may require privilege escalation, and is risky in a secrets-handling workflow because failures or environment differences can leave sensitive mnemonic files on disk longer than intended.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to save a generated mnemonic seed phrase to a local file, even if scheduled for later deletion. Seed phrases are sufficient to fully control wallet funds, so writing them to disk creates a severe theft risk through local compromise, backups, logs, race conditions before deletion, or failed cleanup.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill states that the keystore password is saved to a local helper file without a prominent warning or safer alternative. Storing a wallet password on disk materially weakens keystore protection because any local read access, backup exposure, or workspace leak can give an attacker what they need to unlock the wallet.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill requires local logging of wallet and transaction metadata without clearly warning the user that this financial activity data will be stored. Even without private keys, transaction histories and addresses are sensitive and can reveal balances, counterparties, and behavioral patterns.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script downloads code from a remote URL and immediately executes it in the current shell without integrity verification, pinning, or explicit user confirmation. This creates a supply-chain execution risk: if the remote endpoint, transport, DNS, or upstream installer is compromised, arbitrary code will run on the user's machine during setup.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes highly sensitive wallet secrets to disk: the newly generated mnemonic is saved to a timestamped text file, and the private key is written to a temporary file, all without prior confirmation. Even with restrictive permissions, disk persistence creates exposure through backups, endpoint monitoring, filesystem recovery, or delayed cleanup, which is especially dangerous in an EVM wallet-management skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prints the full RPC URL to stdout, and RPC URLs commonly embed provider API keys, bearer-style tokens, project secrets, or internal endpoint details. In wallet and transaction tooling, terminal output is often logged, shared in screenshots, or captured by CI systems, so disclosing the raw URL can leak credentials or infrastructure information to unauthorized parties.

Ssd 3

Medium
Confidence
90% confidence
Finding
Persisting transaction-related user data in a workspace log creates unnecessary retention of sensitive financial metadata beyond the immediate task. In a wallet skill, this is more dangerous because addresses and transaction hashes can be correlated with balances and activity, increasing privacy and targeting risks.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
4. **Onboarding flow** (automatic when no wallet exists). If the readiness check exits with 1, walk through the scripted steps in order, mirroring their prompts and explicitly asking the user for every required piece of information before running the next script. After the key-material step finishes, share the derived address immediately so the user sees it before we ask them for anything in step 3:
   1. Installation — explain that the script will ensure Foundry/cast is installed so every mentioned `cast` command works before proceeding.
   2. Key material — before running the wallet step, ask whether they want to create a new hot keypair, import a 12/24-word MetaMask-compatible mnemonic (`m/44'/60'/0'/0/0`), or import a private key. Collect the chosen secret, confirm the resulting address right after the step finishes, and tell the user that address before moving on. When generating a new keypair, capture the mnemonic displayed by `cast wallet new`, save it to `~/.agent-wallet/mnemonic-words-<timestamp>.txt`, and tell the user the exact path plus the fact that a job (via `at now + 1 hour` if available or a background `sleep` fallback) will delete that file after 60 minutes so the seed phrase does not linger.
   3. Password — only ask for the keystore password once (there is no confirmation prompt, no save/remember question, and the account name is forced to “agent”). The script saves that password to the local helper file and uses it when creating the keystore, so nothing else is needed from the user for this step.
   4. Network — read aloud the default network list derived from `assets/evm-networks.json`, ask which numbered network they want, and note that the script now auto-selects the first RPC URL from that entry (it saves the matching `CHAIN_ID`/`ETH_RPC_URL` and then just shows the RPC so the user can see which endpoint is being used).
   5. Tokens — the script now prints the token table derived from `assets/evm-network-tokens.json` so it appears directly i
...[truncated 25 chars]
Confidence
88% confidence
Finding
no confirmation

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
return 1
  fi
  if [[ -x "/usr/bin/sudo" ]]; then
    if ! sudo sh -c "$installer > /tmp/at-install.log 2>&1"; then
      warn "Failed to install 'at' with sudo; mnemonic cleanup will be manual."
      return 1
    fi
Confidence
94% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
## Scripts

- **Step scripts** — `scripts/01_install_cast.sh`..`06_finish.sh` cover the onboarding flow described in the README: install Foundry/cast, create or import a key, encrypt the keystore, choose network/RPC/tokens (sourced from the JSON assets), and show the resulting address and balance. Run them in order when the user requests onboarding. Each script already prompts for the necessary inputs (mnemonic/private key, password, RPC URL, token details), so relaying the same questions to the user and then running the next script is the recommended approach.
- **Wallet health check** — `scripts/check_wallet.sh` inspects the shared state and reports whether a keystore/address pair already exists; it returns success (0) when a wallet is present and 1 otherwise.
- **Network status** — `scripts/show_network.sh` prints the active network name, chainId, and RPC URL from `~/.agent-wallet/state.env`, or warns if the configuration is incomplete.
- **Wallet removal** — `scripts/remove_wallet.sh` safely deletes the keystore, password stash, and metadata from `~/.agent-wallet/state.env` after an explicit confirmation.
Confidence
92% confidence
Finding
create or import a key, encrypt the keystore, choose network/RPC/tokens (sourced from the JSON assets), and show the resulting address and balance. Run them in order when the user requests onboarding.

External Script Fetching

High
Category
Supply Chain
Content
exit 0
fi
if ! has_cmd curl; then
  err "curl is required but not found. Install curl and re-run."
  exit 1
fi
warn "cast not found. Installing Foundry..."
Confidence
99% confidence
Finding
curl is required but not found. Install curl and re-run." exit 1 fi warn "cast not found. Installing Foundry..." curl -L https://foundry.paradigm.xyz | bash

Chaining Abuse

High
Category
Tool Misuse
Content
exit 1
fi
warn "cast not found. Installing Foundry..."
curl -L https://foundry.paradigm.xyz | bash
enable_strict_path
if ! has_cmd foundryup; then
  for p in "${HOME}/.bashrc" "${HOME}/.zshrc" "${HOME}/.profile"; do
Confidence
99% confidence
Finding
| bash

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.