安全决策报告
claw-wallet
Skill installs and executes an unsigned closed-source binary from GitHub without integrity verification, creating a supply chain risk, though the shell scripts themselves are transparent and the credential handling is properly scoped.
最直接的威胁证据
高危
Unsigned closed-source binary execution without integrity verification install.sh downloads a pre-built binary (clay-sandbox) from github.com/ClawWallet/Claw_Wallet_Bin and executes it. No checksum, signature, or reproducible build verification is performed.
install.sh:42 为什么得出这个结论
1/4 个维度触发 通过
声明与实际能力
声明资源与推断能力基本一致。
复核
隐藏执行与外联
提取到 4 个一般风险产物,需要结合上下文判断。
阻止
攻击链与高危发现
报告包含 0 步攻击链,另有 1 项高危或严重发现。
通过
依赖与供应链卫生
依赖结构存在,但暂未看到明显高危告警。
风险分是怎么被拉高的
Unsigned closed-source binary execution +30
install.sh downloads and executes pre-built binary from github.com/ClawWallet/Claw_Wallet_Bin without checksum or signature verification
External network access to third-party domains +15
Skill communicates with nex-claw.vercel.app and clawwallet.cc for bind flows; external GitHub repo access beyond declared sandbox
Supply chain dependency on third-party binary repo +12
Binary source is a separate repo (Claw_Wallet_Bin) not directly tied to skill repo
最关键的证据
高危
Unsigned closed-source binary execution without integrity verification
install.sh downloads a pre-built binary (clay-sandbox) from github.com/ClawWallet/Claw_Wallet_Bin and executes it. No checksum, signature, or reproducible build verification is performed.
install.sh:42 Verify binary integrity through published SHA256 checksums or GPG signatures. Consider requesting reproducible builds or source code audit.
中危
Third-party GitHub repository dependency for binary
The skill repo and binary repo are separate: skill from Claw-Wallet-Skill, binary from Claw_Wallet_Bin. This creates a supply chain gap where the skill documentation may not fully cover the binary's behavior.
install.sh:36 Ensure both repositories are from the same trusted entity and that the binary source is verifiable.
中危
External domain communication for wallet binding
The skill instructs users to visit external websites (nex-claw.vercel.app, clawwallet.cc) for wallet binding. While part of the documented workflow, this extends the trust boundary beyond the local sandbox.
SKILL.md:57 Document what data is sent to external domains and ensure user consent for this network communication.
低危
Binary branch is configurable via environment variable
BIN_BRANCH defaults to 'dev' but can be overridden via CLAW_WALLET_BIN_BRANCH, potentially pulling binaries from non-main branches.
install.sh:34 Default to stable/release branches rather than development branches for production use.
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 WRITE
skill.yml declares filesystem:read/write within skills/claw-wallet 网络访问 通过
声明 READ
→ 推断 READ
skill.yml declares localhost sandbox + github.com; SKILL.md also references external bind URLs 命令执行 通过
声明 WRITE
→ 推断 WRITE
skill.yml declares exec for bash/sh scripts 环境变量 通过
声明 READ
→ 推断 READ
skill.yml declares CLAY_AGENT_TOKEN as sensitive credential; reads from .env.clay 可疑产物与外联
中危 外部 URL
https://nex-claw.vercel.app/claim/ SKILL.md:57
中危 外部 URL
https://nex-claw.vercel.app/ SKILL.md:105
中危 外部 URL
https://www.openclawby.com/api/skills?q= SKILL.md:303
中危 外部 URL
https://www.clawwallet.cc/claim/ skill.yml:115
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| clay-sandbox | unversioned (dev branch) | github.com/ClawWallet/Claw_Wallet_Bin | 否 | Closed-source binary downloaded and executed without integrity verification |
文件构成
5 个文件 · 742 行
Markdown 2 个文件 · 371 行Shell 2 个文件 · 256 行YAML 1 个文件 · 115 行
需关注文件 · 3
SKILL.md External domain communication for wallet binding · https://nex-claw.vercel.app/claim/ · https://nex-claw.vercel.app/ · https://www.openclawby.com/api/skills?q=
skill.yml https://www.clawwallet.cc/claim/
install.sh Unsigned closed-source binary execution without integrity verification · Third-party GitHub repository dependency for binary · Binary branch is configurable via environment variable
其他文件 · claw-wallet.sh · README.md
安全亮点
Shell scripts are transparent, readable, and perform expected operations
User confirmation required before executing transactions and uninstall
Credential access is properly scoped to skill directory only
No hidden functionality detected in shell scripts
No base64-encoded payloads, eval(), or obfuscated code
No credential harvesting or exfiltration patterns
No access to sensitive paths like ~/.ssh, ~/.aws, or .env
No curl|bash direct execution patterns
No direct IP network requests detected
Upgrade process preserves critical wallet state files