starknet-agentic-skills

The provided artifact is a static analysis report summarizing security issues across multiple Cairo smart-contract repositories. It contains no executable or obfuscated malware. The findings, however, reveal numerous high-risk smart-contract design and governance issues (immediate upgrades without timelocks, critical addresses initialized without nonzero guards, irrevocable admin roles, and other logic flaws) that could enable privileged actors to perform malicious on-chain actions or lead to accidental critical failures. I recommend immediate code review and remediation of the flagged contracts before deployment. No direct evidence of embedded malware in the scanned packages is present in this report.

The provided artifact is a static scan report listing multiple serious smart-contract security issues across several Cairo/StarkNet repositories. The issues (immediate upgrades without timelock, non-guarded critical address initialization, irrevocable admins, fees recipient set to zero, CEI violation) indicate high-risk patterns that could enable privileged actors to upgrade contracts to malicious versions, seize funds, or cause DoS. This report is not executable code and does not itself show active malware, but it flags misconfigurations and dangerous upgrade/privilege patterns that should be treated as significant security vulnerabilities and remediated before deployment.

This code is primarily an event watcher with robust retry/polling logic. It contains two notable high-impact behaviors: (1) optional outbound webhook delivery of captured event data to an arbitrary configured URL (potential data exfiltration), and (2) a TTL-triggered “selfDestruct” routine that modifies the local crontab and deletes cron-related files under ~/.openclaw/cron using child_process (execSync/execFileSync), then exits the process. No explicit eval/Function obfuscation or clear malware payload is visible in the provided fragment, but the cron manipulation capability and webhook exfiltration justify a security review.

No clear embedded malware behavior is evident in this fragment (no obfuscated payloads, no eval/dynamic execution, and no direct exfiltration mechanisms). The dominant security concern is high-impact operational/supply-chain risk: it generates and persists private keys to state.json, passes sensitive secrets into spawned subprocesses (including an npm dev server in a configurable directory), and launches an MCP dist entrypoint that can perform privileged on-chain actions. If any of those external/local components are tampered with or misconfigured, secret exposure and unintended transactions become plausible. Review and harden SISNA_DIR/dist integrity, minimize env passthrough, and avoid storing unredacted private keys on disk or use encrypted/managed secret storage.

SUSPICIOUS. The core purpose is coherent with Starknet onboarding, but the trust model is weak: it promotes an unpinned raw GitHub pipe-to-shell installer from a personal fork with incomplete release provenance, while enabling autonomous blockchain actions with financial consequences. Data flows are mostly aligned to AVNU and on-chain targets, so this is not confirmed malware, but it is a high-risk skill.

SUSPICIOUS. The skill's purpose and most capabilities are coherent with Starknet account-abstraction review, and the Starknet.js example aligns with official ecosystem tooling. The main concern is the unexplained cairo-auditor dependency: it is referenced as part of the workflow but could not be verified as an official same-org or registry-published tool, creating a supply-chain trust gap. No clear credential harvesting or exfiltration is present, so this is better classified as suspicious/high-risk rather than malicious.

SUSPICIOUS. The skill is purpose-aligned for Starknet payments, but it enables autonomous crypto transfers and requires a raw wallet private key, making its impact high. Install sources are mostly benign PyPI packages, yet third-party RPC routing, unpinned dependencies, and financial-action capability raise the overall risk above a normal utility skill.

SUSPICIOUS. The skill is purpose-aligned for a crypto wallet, and its installs/endpoints are mostly official and coherent. However, it enables autonomous on-chain financial actions using a raw private key and optional third-party paymaster/API services, so the main risk is high-impact wallet control rather than clear malicious misdirection or exfiltration.

Purpose and capabilities are broadly aligned: this is a Starknet transaction/session skill using official Cartridge infrastructure. Main risks are the official-but-unpinned curl|bash installer and the fact that it enables autonomous on-chain transactions after a one-time human approval step, so overall it is better classified as suspicious/high-risk operationally rather than malicious.

SUSPICIOUS: The skill is purpose-aligned for Starknet wallet and swap operations, and its installs appear to come from normal official registries. However, it enables high-impact financial actions, forwards wallet context to third-party AVNU/Lava services, and includes conditional execution/watcher behavior that is risky for an AI agent.

The fragment contains a high-severity security logic issue: it forwards attacker-controlled Call entries directly to a privileged system contract call without validating target addresses or selectors. In a session-key or delegated execution context this permits self-calls and invocation of privileged selectors, enabling privilege escalation, unauthorized state modification, and reentrancy risks. The issue appears to be insecure implementation rather than explicit malware, and should be remediated by adding self-call and selector denylist checks, stricter session key restrictions, and safer error handling.

This fragment functions as a governance/security posture diff rather than executable code. Removals of critical upgrade-related classes suggest remediation, while additions introduce governance-risk signals that warrant review (IRREVOCABLE_ADMIN, UPGRADE_CLASS_HASH_WITHOUT_NONZERO_GUARD). No evidence of malware, hidden payloads, or data exfiltration is present in this data artifact. Recommended next steps: audit added governance-risk items, verify proper access-control and upgrade authorization configurations, and ensure consistent remediation across repositories.

This is a valid high-severity access-control finding: session-key execution path forwards untrusted selector/calldata into a syscall that can target the contract itself, enabling invocation of privileged selectors and privilege escalation. Immediate remediation: prevent session-key initiated self-calls (assert call.to != self_addr) and implement an explicit denylist of privileged selectors for session-key flows, plus tests to prevent regression. Confirm that the reported 'fixed' status corresponds to code changes and remove stale vulnerable artifacts from records.

This scan summary does not show explicit malicious code (no network exfiltration, hard-coded credentials or obfuscated payloads in the artifact). However, it highlights systemic, high-risk smart-contract anti-patterns across multiple Starknet/Cairo projects: unguarded critical-address initialization, immediate upgrades without timelocks or nonzero guards, and mutable access-control entrypoints. These design issues materially increase the risk of administrative takeover, immediate malicious upgrades, or denial-of-service. Manual code review of the flagged files (start with redeem_request.cairo and vault/upgrade/initializer functions), verification of deployment-time governance controls, and remediation (nonzero guards, timelocks/multisig gating, strict access checks, CEI compliance) are strongly recommended before trusting or depending on these packages.

The code is a test runner intended for E2E validation of a spending policy system. It does not appear to implement malicious functionality, but it includes a notable risk: it uses eval to execute dynamically constructed commands from test definitions, which could lead to command injection if inputs are controlled by an attacker. It also prints sensitive-looking inputs (account, session key) to stdout, and stores test outputs in a world-writable /tmp file, which could lead to information leakage in shared environments. Overall, the script is not inherently malicious but has moderate security risk due to dynamic code execution and exposure of sensitive data in logs/outputs. Recommend replacing eval with safer command construction, explicit input validation, and redaction/logging controls for sensitive data.

The scanner report flags multiple high-risk upgradeability and administration anti-patterns across several Cairo/Starknet repositories (immediate upgrades without timelocks, class-hash upgrades lacking nonzero guards, critical-address initialization without guards, irrevocable admin assignments, and unguarded access-control mutations). These are architectural and governance risks that could enable code replacement or admin takeover if an admin key is compromised or a malicious actor obtains privileged access. There is no evidence in this artifact of classical malware behaviors (exfiltration, backdoors, network connections, hard-coded secrets, or obfuscation of payloads). Action: perform targeted manual review of the listed files/lines, verify on-chain governance (timelocks/multisig), add or enforce nonzero guards, and remediate irrevocable admin patterns where unsuitable. Treat flagged items as high-priority security review candidates rather than confirmed compromise.

The scan identifies systematic high-impact governance and upgradeability risks across multiple Starknet/Cairo projects: immediate upgradeability without timelocks, missing non-zero guards in initialization/class-hash setters, and potentially irrevocable admin roles. These issues increase the likelihood of administrative takeover or malicious upgrades if deployed. The artifact is not malware, but the findings represent real on-chain security risks requiring manual verification and remediation (add timelocks/multisig/governance, validation checks, revocation paths). Prioritize review of the flagged files and functions before trusting deployed instances.