ClawHub

Goodwallet Trading

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed GoodWallet trading skill, but it gives an agent broad wallet-signing power without enough built-in guardrails.

Install only if you fully trust GoodWallet, the npm package, and the configured signing endpoint. Before allowing any transaction, require the agent to show the chain, recipient or contract, token, amount, spender, approval size, ETH value, calldata meaning, slippage, and expected effect; avoid unlimited approvals and arbitrary contract calls unless you understand the exact consequence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill invokes external CLI tools that use environment variables and network access, yet the skill does not declare permissions or make those capabilities explicit. This reduces transparency for reviewers and users, and is especially risky here because the tool can sign blockchain transactions and talk to configurable endpoints such as SIGN_URL and RPC_URL.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The swap command accepts a slippage parameter but never uses it to compute a nonzero amountOutMin; every swap call passes 0n. That removes price protection entirely, allowing execution at any output amount and exposing users to severe MEV/sandwich losses or unexpectedly bad fills during volatile markets.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
For Uniswap V2, ETH swaps require a path beginning or ending with WETH, but the code sets path to only the destination token while commenting that WETH is implicit. This malformed path can cause transaction failure or interaction with incompatible router logic, making the trade feature unreliable and potentially causing users to sign wasteful transactions that still consume gas.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The token-to-ETH branch passes a path containing only the input token, even though Uniswap V2 expects the route to end with WETH for ETH output. This makes the swap call structurally incorrect, leading to reverted transactions and avoidable gas loss for users.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill exposes high-risk financial actions—unlimited token approvals, swaps, and arbitrary signed contract calls—without prominent user-facing warnings about irreversibility, spender risk, calldata risk, or value transfer consequences. In this context, the absence of warnings is particularly dangerous because the commands can authorize asset spending or execute arbitrary on-chain actions that cannot be undone once signed and broadcast.

Missing User Warnings

High
Confidence
99% confidence
Finding
The contract-call command signs and broadcasts arbitrary calldata to any address, with optional ETH value, using the wallet's MPC credentials and no allowlist, decoding, simulation, or confirmation guard. In an agent skill intended to respond to trading/DeFi prompts, this is especially dangerous because prompt-driven misuse or social engineering can turn the wallet into a generic transaction signer for approvals, token drains, ownership changes, or malicious protocol interactions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The approve command defaults to max uint256 when no amount is provided, effectively granting unlimited token spending to any supplied spender address. In a DeFi/trading agent context, this greatly increases blast radius: a compromised, malicious, or mistaken spender can drain all present and future token balances without further user approval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal