Clawwallet
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Clawwallet can handle private keys and move funds across chains, but the supplied artifacts do not clearly declare credentials, approvals, limits, or trusted implementation provenance.
Install only if you fully trust the publisher and the wallet service at CLAW_WALLET_URL. Start with testnet or low-value wallets, never import a main wallet private key casually, require human approval for every transaction, set strict policies and spend limits, and ask for reviewed source/install documentation before using it with real assets.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly or too broadly, the agent could move funds, sweep a wallet, create obligations, or execute blockchain transactions that may not be reversible.
These are broad, irreversible or high-impact financial actions. The supplied artifacts do not show clear per-action approval gates, spending limits, or containment.
'send_payment', 'send_token', 'sweep_wallet', ... 'swap_tokens', ... 'borrow_from_lending', ... 'cross_chain_transfer', ... 'execute_multisig_transaction'
Use only with explicit human approval for every transaction, strict spend/chain/account limits, and reviewed policy enforcement before enabling any fund-moving operation.
A private key or wallet-service credential could grant direct control over funds if exposed to the wrong service or agent context.
The skill reads an API key and sends a wallet private key to the configured wallet service, while the registry metadata declares no primary credential or env var requirements.
apiKey: process.env.CLAW_WALLET_API_KEY, ... async importWallet(privateKey, agentName, chain = this.config.defaultChain) ... body: { privateKey, agentName, chain }Do not import valuable wallets unless the wallet service is trusted and locally controlled; prefer test wallets, hardware/multisig approval, scoped API keys, and explicit credential declarations.
Users cannot easily verify what service implementation will receive wallet credentials or submit transactions.
For a skill that claims wallet and DeFi authority, the lack of source, install provenance, and analyzable implementation leaves the actual wallet-service behavior unverified.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill. Code file presence: No code files present — this is an instruction-only skill. The regex-based scanner had nothing to analyze.
Require reviewed source code, pinned installation instructions, service documentation, and reproducible deployment details before using this with real funds.
Wallet activity or event notifications could be sent to webhook endpoints chosen during use.
Webhook and real-time wallet activity features are purpose-aligned, but wallet events can be sensitive and the supplied artifact does not show endpoint validation or data minimization details.
Webhooks & WebSockets ... 'register_webhook', 'list_webhooks', 'delete_webhook', ... 'get_wallet_activity'
Register only trusted webhook endpoints, limit event contents where possible, and review any webhook destination before enabling it.