bitget-wallet
Audited by Socket on Apr 14, 2026
3 alerts found:
Anomalyx2SecurityThis module is a high-impact wallet-signing orchestrator that signs and submits blockchain transactions. The file itself shows no overt malicious behavior (no obvious exfiltration, subprocesses, eval/exec on data, or hardcoded secrets). However, it materially increases supply-chain and trust-boundary risk by dynamically executing a local signing module (scripts/social-wallet.py), loading secrets through it, and using untrusted API-provided transaction payloads to drive what gets signed and then immediately sent. Security depends heavily on the integrity of the dynamically loaded social-wallet.py and the bitget-wallet-agent-api module, plus strict validation of API-returned tx structures inside sw.*.
This module itself looks like a legitimate wallet/order orchestration wrapper: it reads user-provided keys, requests an order, signs returned transactions, attaches signatures, and submits them. There is no direct evidence of overt malware, credential theft, or obfuscation in this file. However, the security risk is driven by supply-chain/import-resolution design: it prepends the script directory to sys.path and then dynamically imports the critical API module and relies on external signing/key utilities. If any of these imports are shadowed or compromised, the private keys and transaction contents could be stolen or manipulated. Verification of key_utils.read_key_file (secure deletion/file handling) and the implementations of bitget-wallet-agent-api.send/make_order and order_sign.* is necessary for confident risk assessment.
SUSPICIOUS. The overall footprint fits a crypto wallet/trading skill, but it enables high-impact financial actions and handles wallet secrets. The biggest concern is data-flow integrity: the documented Bitget API host/auth scheme conflicts with the skill's hard-coded endpoint and token-auth claims, making the remote trust boundary unclear. Not confirmed malware, but risky and inconsistent enough to avoid trusting without stronger verification of the exact API domain, publisher ownership, and script behavior.