ClawHub

AAWP — AI Agent Wallet Protocol

Security checks across malware telemetry and agentic risk

Overview

This is a real AI wallet skill, but it gives an agent broad authority over funds while fetching its highest-risk runtime code after install.

Install only after reviewing the upstream GitHub runtime you will actually provision, not just this package. Use test funds first, pin the wallet address, keep keys out of shell history/logs/source control, verify the native binary provenance and factory approval independently, and avoid enabling cron, auto-swap, arbitrary contract calls, token approvals, NFT transfers, or DeFi borrowing until you have clear spend limits and a way to pause execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The manifest documents substantial networked behavior, including downloading runtime components from GitHub during provisioning, querying public APIs, and interacting with blockchains, yet no explicit permissions are declared. In an agent-skill ecosystem, undeclared network capability weakens operator review and can cause the skill to be granted trust it has not transparently earned, especially because it also handles private keys and transaction signing.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a wallet/protocol interface, but the documentation states the shipped package is only a bootstrap that fetches the real runtime stack remotely during provisioning and performs installer-like actions. That mismatch is dangerous because reviewers may assess a relatively simple wallet skill while the real executable logic is downloaded later, creating a supply-chain blind spot and enabling unreviewed code, native binaries, and scripts to be introduced post-install.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The manifest description omits major high-risk capabilities such as arbitrary contract interaction, NFT transfers, borrowing/lending, limit orders, backup/restore, and token deployment. Under-disclosure is especially dangerous here because this is a custodial-like agent wallet skill with autonomous transaction, cron, and signing features; operators may enable it without understanding the full financial and operational attack surface.

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The documentation claims certain actions require human confirmation, but the same file provides direct commands for those actions and does not describe any technical enforcement such as interactive approval gates, policy checks, or signed attestations. In an autonomous agent context, unenforced 'human approval required' language can create false assurance and allow wallet creation, cron registration, or other sensitive on-chain actions to proceed automatically.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The installer tells users that the package installs only a SKILL.md manifest, but when OpenClaw is detected it may invoke `clawhub install aawp`, which can perform broader installation behavior outside this script's direct file writes. This mismatch is a security-relevant transparency issue because users may consent to a limited manifest install while actually triggering a more privileged or network-driven external installer path.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents powerful wallet actions such as token transfers, swaps, bridge operations, contract calls, and batch execution without prominent warnings that these actions can irreversibly move or lose funds if misused. In an agent-facing wallet skill, operators may copy commands directly into automation contexts, so the lack of safety framing increases the chance of accidental destructive execution.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README advertises DCA automation and price alerts with auto-swap behavior, including unattended scheduled transactions, but does not prominently warn that these features can trade live funds without an active session. In the context of an AI-agent wallet with daemonized execution, this is especially dangerous because users may enable autonomous strategies without fully understanding trigger conditions, slippage, market volatility, or failure modes.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The script automatically writes `SKILL.md` into every detected client skill directory and the universal skills directory without an explicit confirmation step. In a multi-client environment this can silently modify several local agent configurations at once, increasing the chance of unintended enablement of a high-risk wallet skill that later provisions binaries and scripts from remote sources.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly states that runtime files, including a native binary and provisioning tools, are downloaded from GitHub and executed via a shell script at provisioning time. This creates a meaningful supply-chain and arbitrary code execution risk because users install a small trusted package but later execute remotely fetched artifacts whose contents are not fixed by the published package itself; the claimed on-chain hash verification does not clearly cover all fetched scripts or guarantee integrity before execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The package declares an environment variable for a private key used by a Guardian gas-relay wallet without an explicit warning about handling secret key material. In a wallet-management skill, this is especially sensitive because operators may place raw private keys into shell history, CI logs, process listings, or misconfigured environment stores, leading to wallet compromise and unauthorized transactions.

VirusTotal

VirusTotal findings are pending for this skill version.