扫描报告
15 /100
agentwallet
EVM wallet tool for autonomous agents with built-in accountability. Creates, signs, and broadcasts ETH and ERC20 transfers on any EVM-compatible chain, then appends every transaction to a JSON log file.
Legitimate EVM wallet tool for autonomous agents with clear documentation. All capabilities are declared, no hidden functionality, and no malicious behavior observed.
可以安装
Safe to use when wallet keys and output paths are explicitly provided by the human. Always set --max-amount for x402 flows. Version pinning recommended for dependencies.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Unpinned dependency versions | requirements.txt:1 |
| 低危 | Network WRITE capability not explicitly declared | SKILL.md:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | SKILL.md line 20-25, reads wallet JSON, writes agentwallet.json log |
| 网络访问 | READ | WRITE | ✓ 一致 | Makes POST requests to RPC endpoints and x402 APIs (necessary for blockchain ope… |
| 命令执行 | NONE | NONE | — | No subprocess usage found in scripts |
| 环境变量 | NONE | NONE | — | No environment variable access observed |
| 技能调用 | NONE | NONE | — | No cross-skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
18 项发现
中危 外部 URL 外部 URL
https://clawhub.com/skills/cdnsoft-wallet SKILL.md:14 中危 外部 URL 外部 URL
https://rpc.linea.build SKILL.md:27 中危 外部 URL 外部 URL
https://actors.dev/emails SKILL.md:36 中危 外部 URL 外部 URL
https://mainnet.base.org SKILL.md:38 中危 钱包地址 加密货币钱包地址
0x3604712bd95ba2ff36b624f3ffeb6b73b34604ea SKILL.md:44 中危 钱包地址 加密货币钱包地址
0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 SKILL.md:54 中危 外部 URL 外部 URL
https://cdnsoft.github.io/agentwallet SKILL.md:139 中危 外部 URL 外部 URL
https://x402.org index.html:361 中危 外部 URL 外部 URL
https://api.gateskip.org/solve/funcaptcha index.html:377 中危 钱包地址 加密货币钱包地址
0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 index.html:413 中危 钱包地址 加密货币钱包地址
0xfde4C96c8593536E31F229EA8f37b2ADa2699bb2 index.html:414 中危 钱包地址 加密货币钱包地址
0xdAC17F958D2ee523a2206206994597C13D831ec7 index.html:415 中危 钱包地址 加密货币钱包地址
0x50c5725949A6F0c72E6C4a641F24049A917DB0Cb index.html:416 中危 钱包地址 加密货币钱包地址
0x6B175474E89094C44Da98b954EedeAC495271d0F index.html:417 中危 外部 URL 外部 URL
https://cypher.cdnsoft.net index.html:422 中危 钱包地址 加密货币钱包地址
0x4200000000000000000000000000000000000006 scripts/log_transaction.py:285 中危 钱包地址 加密货币钱包地址
0x2626664c2603336E57B271c5C0b26F421741e481 scripts/log_transaction.py:286 提示 邮箱 邮箱地址
[email protected] SKILL.md:42 目录结构
5 文件 · 52.8 KB · 1308 行 Python 2f · 728L
HTML 1f · 439L
Markdown 1f · 139L
Text 1f · 2L
├─
▾
scripts
│ ├─
log_transaction.py
Python
│ └─
x402_request.py
Python
├─
index.html
HTML
├─
requirements.txt
Text
└─
SKILL.md
Markdown
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
eth-account | >=0.11.0 | pip | 否 | Version not pinned |
requests | >=2.28.0 | pip | 否 | Version not pinned |
安全亮点
✓ All functionality clearly documented in SKILL.md with accurate descriptions
✓ No subprocess or shell execution - uses Python requests library only
✓ No credential exfiltration - private keys used only for local transaction signing
✓ Safety checks implemented (--max-amount, --pay-to validation in x402 flows)
✓ No base64-encoded payloads or obfuscated code
✓ Cryptographically appropriate: uses os.urandom for nonces, standard EIP-712 signing
✓ Audit logging to append-only JSON is a positive security feature
✓ Clear warning about chmod 600 for wallet files
✓ No hidden HTML comments or suspicious instructions