TruthSea Verifier
Security checks across static analysis, malware telemetry, and agentic risk
Overview
TruthSea is coherent with its blockchain-verification purpose, but it needs review because it uses a wallet private key and an unpinned external MCP package for token-affecting on-chain actions.
Install only if you trust the TruthSea MCP server package and understand blockchain wallet risk. Keep the key unset for read-only use, use a dedicated low-balance wallet for writes, pin or audit the npm package, and confirm every transaction before letting the agent submit, dispute, stake, or claim anything.
Static analysis
Static analysis findings are pending for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is misused, leaked, or used by a compromised MCP server, the wallet can sign unwanted transactions and lose staked tokens or funds.
The skill asks for a raw wallet private key that can authorize blockchain transactions; this is broad authority, not a narrowly scoped API token.
`DEPLOYER_PRIVATE_KEY` grants on-chain transaction authority. Always use a dedicated hot wallet with minimal funds.
Do not use a main wallet. Use a fresh burner wallet with minimal funds, keep read-only mode when possible, and prefer a scoped signer or wallet-confirmation flow over storing a raw private key.
An unintended or poorly reviewed tool call could create public blockchain records, stake tokens, trigger disputes, or financially affect other participants.
The exposed commands can perform high-impact on-chain mutations involving staking, slashing, disputes, and public claims, but the artifacts do not show enforced confirmations or transaction limits.
"/dispute" ... "Creates a fork and slashes the original host." ... "/edge create" ... "Stakes TRUTH tokens as collateral."
Require explicit user confirmation and a clear transaction preview before every wallet-backed action; set small spending/staking limits and avoid autonomous use.
A changed, compromised, or impersonated npm package could alter transaction behavior or mishandle wallet credentials.
The runtime server is fetched and executed from npm by package name without a pinned version or included reviewed source, while that server is expected to handle the wallet key and transactions.
"command": "npx", "args": ["-y", "truthsea-mcp-server"]
Pin the exact package version and integrity, publish/source-link the reviewed server code, and avoid `npx -y` auto-fetching for a wallet-signing MCP server.