ClawHub

Agent Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a real wallet skill, but it gives an agent direct authority to move crypto funds with limited built-in safeguards.

Install only for fresh, low-value wallets unless you fully trust the runtime, dependencies, and host agent controls. Do not reuse an existing mainnet seed. Require explicit human approval for every transfer or bridge, verify chain, amount, recipient, and fees, keep the seed out of chat and logs, and avoid running the bundled bridge test/debug scripts with production funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly requires access to sensitive environment variables and outbound network/RPC calls, but it does not declare those permissions explicitly. In an agent ecosystem, undeclared capabilities reduce transparency and weaken policy enforcement, making it easier for a wallet-managing skill to access secrets or initiate blockchain actions without proper review.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script loads a wallet seed phrase from an environment variable, derives the private key, and uses it to initialize a blockchain adapter. Even though this appears to be a test script, handling full wallet seed material in a broadly runnable skill repository increases the chance of accidental exposure, misuse, or unauthorized fund movement if the environment is compromised. In the context of a wallet-management skill, access to signing credentials is inherently more sensitive because the skill’s purpose includes moving assets across chains.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README shows wallet creation output that includes the seed phrase and does not place a strong, immediate warning before the example. In an agent-wallet context, this is dangerous because operators may paste, log, screenshot, or expose the mnemonic during setup, leading to total wallet compromise and irreversible theft across all derived chains.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The transfer and bridge commands are documented without a clear warning that they can move real funds irreversibly, especially when NETWORK is set to mainnet. In a skill intended for AI agents, this increases the chance of accidental autonomous transfers, prompt-induced fund movement, or operator misuse with permanent financial loss.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very broad phrases such as "transfer," which can match many ordinary user requests and unintentionally invoke wallet behavior. In a financial skill, accidental invocation is especially dangerous because it can lead to unintended balance exposure, address disclosure, or even fund movement workflows being initiated from ambiguous prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The transfer and bridge instructions omit an explicit warning that blockchain transactions are irreversible and require verification of recipient address, token, amount, and destination chain. In a wallet skill, missing these safeguards materially increases the risk of permanent asset loss from user error, prompt confusion, or social-engineering-induced misdirection.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The bridge command derives private keys from the seed phrase and immediately initiates a cross-chain USDC movement with no interactive confirmation, dry-run preview, or secondary approval step. In an agent-wallet skill, this is especially dangerous because a misparsed instruction, prompt injection, or unintended tool invocation can directly move funds across chains irreversibly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script directly reads a wallet seed phrase from the environment and derives the private key without any access control, confirmation flow, or user disclosure. In an agent-wallet skill, this is especially sensitive because the same secret can control funds across multiple chains, so misuse, logging, prompt-triggered execution, or accidental exposure could lead to full wallet compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code initiates a bridge transaction that can move value across chains with no user-facing confirmation, policy check, destination verification, or dry-run-only safeguard. In the context of an agent wallet skill whose purpose is fund movement, silent execution is particularly dangerous because an agent or automation path could trigger irreversible transfers or incur fees without informed authorization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads a seed phrase from the environment, derives a private key, and immediately uses it to control a wallet without any guardrails, validation, or operator warning. In an agent-wallet skill, this is especially dangerous because the capability is financial by design: if invoked unintentionally or in the wrong environment, it grants direct signing authority over funds and can enable unauthorized transfers or bridging.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code initiates a bridge transaction directly, which can move assets across chains and incur irreversible on-chain effects, yet there is no explicit confirmation, preview, or human approval step. In the context of an AI agent wallet skill, this materially increases risk because autonomous or accidental execution could transfer funds, consume gas, and create asset recovery complexity across networks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script derives a live private key from an environment-provided seed phrase and then proceeds toward a token bridge operation with no explicit user confirmation, transaction review, or safety interlock. In the context of an agent wallet skill, this is especially dangerous because automated invocation could move funds across chains without the operator clearly approving the destination, amount, network, or consequences of the transfer.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code accesses highly sensitive credential material from an environment variable without any warning, validation, or disclosure about the security implications. This is dangerous because users or operators may supply a real seed phrase to run a seemingly harmless estimate script, and the script then derives a usable private key that could sign transactions or be exposed through logs, debugging, crash reporting, or future code changes.

Credential Access

High
Category
Privilege Escalation
Content
async function transfer(chain, token, amount, recipient) {
  const seedPhrase = getSeedPhrase();
  if (!seedPhrase) {
    console.error('Error: WALLET_SEED_PHRASE not set in .env');
    process.exit(1);
  }
Confidence
82% confidence
Finding
.env'

Credential Access

High
Category
Privilege Escalation
Content
async function bridge(fromChain, toChain, amount) {
  const seedPhrase = getSeedPhrase();
  if (!seedPhrase) {
    console.error('Error: WALLET_SEED_PHRASE not set in .env');
    process.exit(1);
  }
Confidence
89% confidence
Finding
.env'

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal