中文 EN

Scan Report

Scan New Files

Suspicious — Risk Score 52/100
Last scan:2 days ago Rescan
52 /100
claw-wallet
Local multi-chain wallet skill for AI agents with sandbox signing and configurable risk controls
Skill installs and executes an unsigned closed-source binary from GitHub without integrity verification, creating a supply chain risk, though the shell scripts themselves are transparent and the credential handling is properly scoped.
Skill Nameclaw-wallet
Duration44.0s
Enginepi
Use with caution
Before using this skill, verify the binary's integrity through published checksums or signatures. Consider auditing the sandbox binary independently or requesting source code availability. Use in isolated environments until verified.

Findings 4 items

Severity Finding Location
High
Unsigned closed-source binary execution without integrity verification
install.sh downloads a pre-built binary (clay-sandbox) from github.com/ClawWallet/Claw_Wallet_Bin and executes it. No checksum, signature, or reproducible build verification is performed.
curl -L -o "$TMP_TARGET" "$BINARY_URL"
→ Verify binary integrity through published SHA256 checksums or GPG signatures. Consider requesting reproducible builds or source code audit.
 install.sh:42
Medium
Third-party GitHub repository dependency for binary
The skill repo and binary repo are separate: skill from Claw-Wallet-Skill, binary from Claw_Wallet_Bin. This creates a supply chain gap where the skill documentation may not fully cover the binary's behavior.
BINARY_URL="https://github.com/ClawWallet/Claw_Wallet_Bin/raw/refs/heads/${BIN_BRANCH}/bin/$BINARY_NAME"
→ Ensure both repositories are from the same trusted entity and that the binary source is verifiable.
 install.sh:36
Medium
External domain communication for wallet binding
The skill instructs users to visit external websites (nex-claw.vercel.app, clawwallet.cc) for wallet binding. While part of the documented workflow, this extends the trust boundary beyond the local sandbox.
https://nex-claw.vercel.app/claim/<uid>
→ Document what data is sent to external domains and ensure user consent for this network communication.
 SKILL.md:57
Low
Binary branch is configurable via environment variable
BIN_BRANCH defaults to 'dev' but can be overridden via CLAW_WALLET_BIN_BRANCH, potentially pulling binaries from non-main branches.
BIN_BRANCH="${CLAW_WALLET_BIN_BRANCH:-dev}"
→ Default to stable/release branches rather than development branches for production use.
 install.sh:34
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned skill.yml declares filesystem:read/write within skills/claw-wallet
Network READ READ ✓ Aligned skill.yml declares localhost sandbox + github.com; SKILL.md also references exte…
Shell WRITE WRITE ✓ Aligned skill.yml declares exec for bash/sh scripts
Environment READ READ ✓ Aligned skill.yml declares CLAY_AGENT_TOKEN as sensitive credential; reads from .env.cla…
4 findings
🔗
Medium External URL 外部 URL
https://nex-claw.vercel.app/claim/
SKILL.md:57
🔗
Medium External URL 外部 URL
https://nex-claw.vercel.app/
SKILL.md:105
🔗
Medium External URL 外部 URL
https://www.openclawby.com/api/skills?q=
SKILL.md:303
🔗
Medium External URL 外部 URL
https://www.clawwallet.cc/claim/
skill.yml:115

File Tree

5 files · 29.3 KB · 742 lines
Markdown 2f · 371L Shell 2f · 256L YAML 1f · 115L
├─ 🔧 claw-wallet.sh Shell 155L · 4.4 KB
├─ 🔧 install.sh Shell 101L · 3.8 KB
├─ 📝 README.md Markdown 68L · 2.2 KB
├─ 📝 SKILL.md Markdown 303L · 14.8 KB
└─ 📋 skill.yml YAML 115L · 4.1 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
clay-sandbox unversioned (dev branch) github.com/ClawWallet/Claw_Wallet_Bin No Closed-source binary downloaded and executed without integrity verification

Security Positives

✓ Shell scripts are transparent, readable, and perform expected operations
✓ User confirmation required before executing transactions and uninstall
✓ Credential access is properly scoped to skill directory only
✓ No hidden functionality detected in shell scripts
✓ No base64-encoded payloads, eval(), or obfuscated code
✓ No credential harvesting or exfiltration patterns
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ No curl|bash direct execution patterns
✓ No direct IP network requests detected
✓ Upgrade process preserves critical wallet state files