Scan Report
15 /100
agentwallet
EVM wallet tool for autonomous agents with built-in accountability. Creates, signs, and broadcasts ETH and ERC20 transfers on any EVM-compatible chain, then appends every transaction to a JSON log file.
Legitimate EVM wallet tool for autonomous agents with clear documentation. All capabilities are declared, no hidden functionality, and no malicious behavior observed.
Safe to install
Safe to use when wallet keys and output paths are explicitly provided by the human. Always set --max-amount for x402 flows. Version pinning recommended for dependencies.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Unpinned dependency versions | requirements.txt:1 |
| Low | Network WRITE capability not explicitly declared | SKILL.md:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md line 20-25, reads wallet JSON, writes agentwallet.json log |
| Network | READ | WRITE | ✓ Aligned | Makes POST requests to RPC endpoints and x402 APIs (necessary for blockchain ope… |
| Shell | NONE | NONE | — | No subprocess usage found in scripts |
| Environment | NONE | NONE | — | No environment variable access observed |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
18 findings
Medium External URL 外部 URL
https://clawhub.com/skills/cdnsoft-wallet SKILL.md:14 Medium External URL 外部 URL
https://rpc.linea.build SKILL.md:27 Medium External URL 外部 URL
https://actors.dev/emails SKILL.md:36 Medium External URL 外部 URL
https://mainnet.base.org SKILL.md:38 Medium Wallet Address 加密货币钱包地址
0x3604712bd95ba2ff36b624f3ffeb6b73b34604ea SKILL.md:44 Medium Wallet Address 加密货币钱包地址
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 SKILL.md:54 Medium External URL 外部 URL
https://cdnsoft.github.io/agentwallet SKILL.md:139 Medium External URL 外部 URL
https://x402.org index.html:361 Medium External URL 外部 URL
https://api.gateskip.org/solve/funcaptcha index.html:377 Medium Wallet Address 加密货币钱包地址
0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 index.html:413 Medium Wallet Address 加密货币钱包地址
0xfde4C96c8593536E31F229EA8f37b2ADa2699bb2 index.html:414 Medium Wallet Address 加密货币钱包地址
0xdAC17F958D2ee523a2206206994597C13D831ec7 index.html:415 Medium Wallet Address 加密货币钱包地址
0x50c5725949A6F0c72E6C4a641F24049A917DB0Cb index.html:416 Medium Wallet Address 加密货币钱包地址
0x6B175474E89094C44Da98b954EedeAC495271d0F index.html:417 Medium External URL 外部 URL
https://cypher.cdnsoft.net index.html:422 Medium Wallet Address 加密货币钱包地址
0x4200000000000000000000000000000000000006 scripts/log_transaction.py:285 Medium Wallet Address 加密货币钱包地址
0x2626664c2603336E57B271c5C0b26F421741e481 scripts/log_transaction.py:286 Info Email 邮箱地址
[email protected] SKILL.md:42 File Tree
5 files · 52.8 KB · 1308 lines Python 2f · 728L
HTML 1f · 439L
Markdown 1f · 139L
Text 1f · 2L
├─
▾
scripts
│ ├─
log_transaction.py
Python
│ └─
x402_request.py
Python
├─
index.html
HTML
├─
requirements.txt
Text
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
eth-account | >=0.11.0 | pip | No | Version not pinned |
requests | >=2.28.0 | pip | No | Version not pinned |
Security Positives
✓ All functionality clearly documented in SKILL.md with accurate descriptions
✓ No subprocess or shell execution - uses Python requests library only
✓ No credential exfiltration - private keys used only for local transaction signing
✓ Safety checks implemented (--max-amount, --pay-to validation in x402 flows)
✓ No base64-encoded payloads or obfuscated code
✓ Cryptographically appropriate: uses os.urandom for nonces, standard EIP-712 signing
✓ Audit logging to append-only JSON is a positive security feature
✓ Clear warning about chmod 600 for wallet files
✓ No hidden HTML comments or suspicious instructions