Skills
skills/sundial-org/awesome-openclaw-skills/evm-wallet-skill/Gen Agent Trust Hub

evm-wallet-skill

Fail

Audited by Gen Agent Trust Hub on Mar 24, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's installation process downloads an entire codebase from an untrusted GitHub repository.
  • Evidence: git clone https://github.com/surfer77/evm-wallet-skill.git /tmp/evm-wallet-tmp followed by moving the files into the skill directory.
  • Risk: Downloading code from untrusted sources can introduce malicious scripts or backdoors into the environment.
  • [REMOTE_CODE_EXECUTION]: The skill executes code downloaded from the internet using Node.js and manages dependencies from an untrusted source.
  • Evidence: cd "$SKILL_DIR" && npm install and subsequent execution of scripts via node src/*.js.
  • Risk: Arbitrary code execution during the installation phase (via npm lifecycle scripts) or runtime execution of unverified logic.
  • [COMMAND_EXECUTION]: The skill uses shell commands to perform sensitive operations like token transfers, swaps, and smart contract interactions.
  • Evidence: Commands such as node src/transfer.js <chain> <to_address> <amount> --yes --json and node src/contract.js ... --yes --json.
  • Risk: While intended for functionality, these commands allow the agent to perform irreversible financial transactions.
  • [DATA_EXPOSURE]: The skill manages a local JSON file containing a private key.
  • Evidence: The file ~/.evm-wallet.json is mentioned as the storage for the private key.
  • Risk: If the agent is compromised via prompt injection or if other local processes gain access, the user's private keys and assets could be stolen.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes external data from smart contract outputs and user inputs.
  • Ingestion points: User-provided addresses, amounts, and smart contract function arguments in src/contract.js and src/transfer.js.
  • Boundary markers: The instructions tell the agent to confirm with the user, but no technical delimiters or sanitization logic are provided in the prompts.
  • Capability inventory: The skill can execute shell commands (node), perform network operations (blockchain transactions), and write to the filesystem.
  • Sanitization: No explicit sanitization or escaping of external content is mentioned before it is processed by the local scripts.
  • Severity: LOW (Surface risk for indirect instruction execution through processed data).
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 24, 2026, 12:25 AM