Back to skill

Security audit

Clawcast - Easiest Ethereum Crypto Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a real EVM wallet helper, but it stores wallet secrets locally and can change the host environment in ways users should review carefully.

Treat this as a high-risk hot-wallet skill. Do not import a valuable existing seed phrase or private key; use a fresh wallet with limited funds, review the install scripts before running them, avoid granting sudo during setup, remove plaintext password/mnemonic files promptly, and require explicit human confirmation before any transaction is signed or broadcast.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill directs the agent to read and write local files and execute shell commands, yet it declares no permissions or capability boundaries. In a wallet-management context, hidden shell/file capabilities increase the chance that sensitive material such as keys, passwords, and transaction metadata will be handled without appropriate user awareness or sandboxing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior extends well beyond ordinary wallet guidance into software installation from the internet, local plaintext secret storage, package installation with possible privilege escalation, scheduled job creation, mutation of bundled assets, and log tampering. In a crypto wallet skill, this mismatch is especially dangerous because users may trust the skill with seed phrases and private keys without realizing it also persists secrets and alters the host environment.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill requires persistent logging of transaction mentions to a workspace file, including wallet-linked metadata, without a strong operational need for core wallet management. Persistent records of addresses and transaction hashes create a privacy and targeting risk, especially for cryptocurrency users whose activity may be correlated across sessions or shared workspaces.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The skill describes the token metadata JSON as an authoritative reference, then later instructs the agent to write user-provided token entries directly into that same asset. Mixing trusted reference data with mutable user input can poison future decisions, causing incorrect token recommendations, explorer links, or contract interactions in later sessions.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The Fantom entry labels the token as "Tether USD" but names/symbols it as "Frapped USDT"/"fUSDT", creating contradictory metadata for a wallet/transaction skill that may rely on this file for token selection and user display. In EVM tooling, incorrect token identity metadata can cause users or downstream automation to interact with the wrong asset representation, increasing the risk of mistaken transfers, swaps, accounting errors, or trust in a bridged asset under a misleading label.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script goes beyond wallet management by attempting to install the 'at' package and rely on host scheduling services to delete mnemonic files later. That expands the skill's privileges and attack surface, and on systems where users run the script with elevated privileges it can modify the host without explicit informed consent.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script removes entries from a workspace transaction log during wallet deletion, which expands its behavior beyond deleting the wallet's own keystore material. This is dangerous because a user invoking wallet removal may unintentionally lose audit/history data in a shared workspace, and the deletion is keyed only on address string matching rather than stronger ownership or scoping checks.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The confirmation prompt says it will delete keystore/password/address information, but the script also deletes mnemonic backups, Foundry keystores, transaction log mentions, and even removes the entire application directory. This mismatch is dangerous because it undermines informed consent and can lead users to approve significantly more destructive actions than the prompt discloses.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions mandate persistent recording of transaction details without warning the user that wallet activity is being stored locally. In a financial context, silent persistence of transaction data undermines user expectations and can expose sensitive behavioral information if the workspace is shared, synced, or later compromised.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sources `${STATE_FILE}` directly, so any shell code present in that file will execute in the current process. Because the state file is writable through helper functions and lives in the user's home directory, tampering with it can turn simple state persistence into arbitrary code execution whenever `state_get` is called.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script downloads code from a remote URL and immediately executes it with `bash` without any integrity verification, pinning, or explicit confirmation from the user. This creates a supply-chain execution risk: if the remote endpoint, transport path, or served installer is compromised, arbitrary code will run on the user's machine.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script executes package installation commands and may invoke sudo without prior disclosure or confirmation. In a wallet-handling context, unexpected privileged host changes are risky because users may focus on key management and miss that the script is also performing system administration.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script writes the mnemonic recovery phrase to disk, even if permissions are restricted and deletion is scheduled later. Mnemonics are the highest-value wallet secret; storing them on disk creates a theft window from malware, backups, shell access, or recovery artifacts, and the wallet-management context makes this especially sensitive.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script persists the wallet password in plaintext at ${APP_DIR}/pw.txt, then stores that path in state for later reuse. Even with umask 077 and chmod 600, plaintext-on-disk secrets are recoverable by any process or user with access to that account, backups, logs, or the application directory, which materially increases compromise risk for the encrypted keystore.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs persisting wallet secrets locally, including storing a generated mnemonic in a file and saving the keystore password in a helper file. Plaintext or weakly protected secret persistence materially increases the chance of wallet compromise, and in a crypto context that can directly lead to irreversible fund theft.

Ssd 3

Medium
Confidence
90% confidence
Finding
Keeping a running log of wallet-linked transaction details creates a durable mapping between addresses, timestamps, and activity. While not as severe as storing private keys, this is still sensitive financial metadata that can be used for profiling, surveillance, or targeting of the wallet owner.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
4. **Onboarding flow** (automatic when no wallet exists). If the readiness check exits with 1, walk through the scripted steps in order, mirroring their prompts and explicitly asking the user for every required piece of information before running the next script. After the key-material step finishes, share the derived address immediately so the user sees it before we ask them for anything in step 3:
   1. Installation — explain that the script will ensure Foundry/cast is installed so every mentioned `cast` command works before proceeding.
   2. Key material — before running the wallet step, ask whether they want to create a new hot keypair, import a 12/24-word MetaMask-compatible mnemonic (`m/44'/60'/0'/0/0`), or import a private key. Collect the chosen secret, confirm the resulting address right after the step finishes, and tell the user that address before moving on. When generating a new keypair, capture the mnemonic displayed by `cast wallet new`, save it to `~/.agent-wallet/mnemonic-words-<timestamp>.txt`, and tell the user the exact path plus the fact that a job (via `at now + 1 hour` if available or a background `sleep` fallback) will delete that file after 60 minutes so the seed phrase does not linger.
   3. Password — only ask for the keystore password once (there is no confirmation prompt, no save/remember question, and the account name is forced to “agent”). The script saves that password to the local helper file and uses it when creating the keystore, so nothing else is needed from the user for this step.
   4. Network — read aloud the default network list derived from `assets/evm-networks.json`, ask which numbered network they want, and note that the script now auto-selects the first RPC URL from that entry (it saves the matching `CHAIN_ID`/`ETH_RPC_URL` and then just shows the RPC so the user can see which endpoint is being used).
   5. Tokens — the script now prints the token table derived from `assets/evm-network-tokens.json` so it appears directly i
...[truncated 25 chars]
Confidence
84% confidence
Finding
no confirmation

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
return 1
  fi
  if [[ -x "/usr/bin/sudo" ]]; then
    if ! sudo sh -c "$installer > /tmp/at-install.log 2>&1"; then
      warn "Failed to install 'at' with sudo; mnemonic cleanup will be manual."
      return 1
    fi
Confidence
96% confidence
Finding
sudo

Session Persistence

Medium
Category
Rogue Agent
Content
## Scripts

- **Step scripts** — `scripts/01_install_cast.sh`..`06_finish.sh` cover the onboarding flow described in the README: install Foundry/cast, create or import a key, encrypt the keystore, choose network/RPC/tokens (sourced from the JSON assets), and show the resulting address and balance. Run them in order when the user requests onboarding. Each script already prompts for the necessary inputs (mnemonic/private key, password, RPC URL, token details), so relaying the same questions to the user and then running the next script is the recommended approach.
- **Wallet health check** — `scripts/check_wallet.sh` inspects the shared state and reports whether a keystore/address pair already exists; it returns success (0) when a wallet is present and 1 otherwise.
- **Network status** — `scripts/show_network.sh` prints the active network name, chainId, and RPC URL from `~/.agent-wallet/state.env`, or warns if the configuration is incomplete.
- **Wallet removal** — `scripts/remove_wallet.sh` safely deletes the keystore, password stash, and metadata from `~/.agent-wallet/state.env` after an explicit confirmation.
Confidence
88% confidence
Finding
create or import a key, encrypt the keystore, choose network/RPC/tokens (sourced from the JSON assets), and show the resulting address and balance. Run them in order when the user requests onboarding.

External Script Fetching

High
Category
Supply Chain
Content
exit 0
fi
if ! has_cmd curl; then
  err "curl is required but not found. Install curl and re-run."
  exit 1
fi
warn "cast not found. Installing Foundry..."
Confidence
98% confidence
Finding
curl is required but not found. Install curl and re-run." exit 1 fi warn "cast not found. Installing Foundry..." curl -L https://foundry.paradigm.xyz | bash

Chaining Abuse

High
Category
Tool Misuse
Content
exit 1
fi
warn "cast not found. Installing Foundry..."
curl -L https://foundry.paradigm.xyz | bash
enable_strict_path
if ! has_cmd foundryup; then
  for p in "${HOME}/.bashrc" "${HOME}/.zshrc" "${HOME}/.profile"; do
Confidence
99% confidence
Finding
| bash

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.