Security Audit

evm-wallet-skill

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

evm-wallet-skill received a trust score of 30/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 1 critical, 1 high, 5 medium, and 0 low severity. Key findings include Unsafe deserialization / dynamic eval, Unpinned npm dependency version, Agent can be prompted to bypass transaction confirmation.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

72%

Static Code Analysis

100%

Dependency Graph

93%

LLM Behavioral Safety

55%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

6 findings

Dynamic Code

5 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Agent can be prompted to bypass transaction confirmation The `transfer.js`, `swap.js`, and `contract.js` scripts accept a `--yes` flag which bypasses the critical user confirmation prompt before executing a blockchain transaction. An attacker could craft a prompt to the AI agent that includes this flag, instructing the agent to perform unauthorized transfers, token swaps, or arbitrary contract calls without explicit user consent, leading to potential financial loss. The skill's documentation explicitly warns users to confirm transactions, but the `--yes` flag provides a direct programmatic bypass. Remove the `--yes` flag functionality from `transfer.js`, `swap.js`, and `contract.js` to enforce explicit user confirmation for all state-changing blockchain transactions. Alternatively, implement a more robust, agent-side confirmation mechanism that cannot be bypassed by prompt injection.	LLM	SKILL.md:76
HIGH	Uncontrolled supply chain updates via git pull and npm install The skill's installation and update mechanisms (`git clone`, `npm install`, `git pull`) directly fetch code and dependencies from an external GitHub repository (`https://github.com/surfer77/evm-wallet-skill`). A compromise of this repository could allow an attacker to inject malicious code into the skill, which would then be executed on the host system during installation or update. While `package-lock.json` pins dependency versions, `git pull` fetches new source code, and `npm install` could still be vulnerable if `package.json` is altered in the upstream repository. Implement cryptographic verification (e.g., GPG signatures, checksums) for fetched code and dependencies to ensure their integrity and authenticity. Consider using a trusted registry or a private package feed. For `git pull`, ensure that the repository is trusted and consider reviewing changes before applying updates, especially for skills handling sensitive operations like cryptocurrency transactions.	LLM	SKILL.md:40
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/jonisjongithub/evm-wallet-venice/src/balance.js:27
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/jonisjongithub/evm-wallet-venice/src/setup.js:14
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/jonisjongithub/evm-wallet-venice/src/transfer.js:28
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/jonisjongithub/evm-wallet-venice/src/venice.js:196
MEDIUM	Unpinned npm dependency version Dependency 'viem' is not pinned to an exact version ('^2.21.54'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/jonisjongithub/evm-wallet-venice/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/585b1210c8a72c00.svg)](https://skillshield.io/report/585b1210c8a72c00)