goodwallet 安全扫描报告 — 低风险 | ClawSafe

15 /100

goodwallet

MPC agentic wallet management CLI for ETH/ERC-20 token operations and Polymarket prediction market trading

This is a legitimate CLI wrapper skill for a crypto wallet management tool (goodwallet), fully documented with no hidden functionality or credential exfiltration.

技能名称goodwallet

分析耗时42.1s

引擎pi

✓

可以安装

The skill is safe to use. Consider pinning the npm package to a specific hash in addition to the version for stronger supply chain assurance. Monitor the SIGN_URL environment variable as it could theoretically redirect signing operations.

安全发现 3 项

严重性	安全发现	位置
低危	Remote npm package execution without integrity pinning 供应链 The skill executes npx [email protected] from the npm registry. While a version is pinned, there is no cryptographic hash verification (e.g., --package-hashes or integrity field). A compromised npm account or typosquat could deliver malicious code. All commands are run via `npx [email protected]`. → Pin to a content hash or consider vendoring the package. Monitor the goodwallet npm package for unusual publish activity.	`SKILL.md:9`
低危	SIGN_URL environment variable could redirect signing operations 供应链 The skill respects a SIGN_URL environment variable (default: sign.goodwallet.dev) which controls the signing service endpoint. If set to a malicious server, signing operations could be redirected. The skill correctly documents this. \| `SIGN_URL` \| `sign.goodwallet.dev` \| Override the signing service endpoint \| → This is documented and user-controlled. Ensure users understand not to set SIGN_URL to untrusted values.	`SKILL.md:75`
提示	Wallet credentials stored in plain text in user config directory 凭证窃取 Credentials (apiKey, share, address) are stored in plaintext at ~/.config/goodwallet/config.json. While the MPC 'share' architecture means this alone is insufficient for key compromise, any local malware or misconfigured permissions could access these files. credentials (`apiKey`, `share`, `address`) are saved to `~/.config/goodwallet/config.json` → This is inherent to the MPC wallet architecture described. Ensure filesystem permissions on ~/.config are appropriately restricted.	`SKILL.md:29`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	All commands execute via npx [email protected] in bash — shell:WRITE usage is ful…
文件系统	`WRITE`	`WRITE`	✓ 一致	~/.config/goodwallet/config.json and ~/.local/state/goodwallet/session.json — de…
网络访问	`READ`	`READ`	✓ 一致	npx fetches from npm registry; pair command polls sign.goodwallet.dev; declared …
环境变量	`NONE`	`READ`	✓ 一致	Uses $SIGN_URL env var (default: sign.goodwallet.dev) — declared in Environment …
剪贴板	`NONE`	`NONE`	—	No clipboard access observed
浏览器	`NONE`	`NONE`	—	Auth URL is shown to user; user opens manually — no programmatic browser control
数据库	`NONE`	`NONE`	—	No database access observed
技能调用	`NONE`	`NONE`	—	No cross-skill invocation observed

2 项发现

💰

中危钱包地址加密货币钱包地址

0x0000000000000000000000000000000000001010

SKILL.md:81

💰

中危钱包地址加密货币钱包地址

0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359

SKILL.md:84

目录结构

1 文件 · 6.9 KB · 197 行

Markdown 1f · 197L

└─ 📝 SKILL.md Markdown 197L · 6.9 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`goodwallet`	`0.3.0`	npm	否	No integrity hash pinning — relies on npm's package signing only

安全亮点

✓ SKILL.md is comprehensive and fully documents all commands, file locations, and environment variables

✓ No hidden functionality — the entire capability surface is declared

✓ No credential exfiltration — credentials are stored locally and never sent anywhere except the legitimate signing service

✓ Auth URL is shown to user who opens it manually — no silent browser automation

✓ No base64 encoding, obfuscation, or anti-analysis patterns

✓ No attempts to access sensitive paths like ~/.ssh, ~/.aws, or .env

✓ No reverse shell, C2, or data theft indicators

✓ Version pinned to 0.3.0 in all npx calls

✓ Token transfers require explicit user initiation through CLI commands