Back to plugin
Pluginv4.8.9
ClawScan security
My Wallet for OpenClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 27, 2026, 12:37 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The bundle contains a local Node-based wallet runtime (packaged MCP and CLI) that will persist data to your home directory and execute code, and the SKILL.md includes full source contents (with detected base64-like blocks) — coherent with a wallet but the packaging and embedded content raise red flags you should review before installing.
- Guidance
- This bundle includes runnable Node code that will start a local wallet runtime and store data under your home directory (nodeFile storage profile, e.g. ~/.mywallet). That behavior can be legitimate for a self-custodial wallet, but before installing: 1) verify the package provenance (official GitHub repo, release signatures, or publisher reputation); 2) manually audit the bundled payloads (especially large payload/*.cjs files and any long/encoded strings flagged by the scanner) for suspicious network endpoints, command execution, or hidden exfiltration; 3) consider installing and running it in an isolated environment (container/VM) if you cannot fully audit it; 4) back up and secure any mnemonic/private keys created and avoid using real funds until you confirm safety. The mismatch between 'instruction-only' and the presence of executable payloads and the base64-like signals are reasons to pause and review.
- Findings
[base64-block] unexpected: A base64-like prompt-injection pattern was detected inside the SKILL.md content. The SKILL.md embeds full file contents (including large payloads) which can contain long encoded blocks; embedding such blocks in runtime instructions is unusual and could be used for obfuscation or prompt-injection. It should be manually inspected.
Review Dimensions
- Purpose & Capability
- noteThe declared purpose (self-custodial wallet with approval workflows) matches the included artifacts: a launcher, MCP wiring (.mcp.json), runtime payload JS modules, and workflow SKILL.md files. However the registry metadata claims 'instruction-only' yet the bundle contains many executable payload files — an inconsistency worth noticing.
- Instruction Scope
- concernThe SKILL.md embeds the full source/manifest contents and runtime instructions referencing a local MCP subprocess launcher. Embedding large code blocks and encoded/binary-like content inside an instruction document can be used for prompt-injection or to hide behavior; the runtime will start packaged Node code that can read/write storage and spawn child processes. The SKILL.md does not request unrelated credentials, but it gives broad discretion to run bundled code.
- Install Mechanism
- okThere is no external install/download URL; the bundle contains all payloads and a simple launcher that requires local packaged modules. That reduces risks from fetching remote archives. No brew/npm/remote extract steps are present.
- Credentials
- okThe skill declares no required environment variables or credentials. The packaged Node runtime uses a nodeFile storage profile (nodeFile -> default path under the user's home directory, e.g. ~/.mywallet), which is expected for a self-custodial wallet but means it will persist sensitive wallet material to disk.
- Persistence & Privilege
- noteThe MCP launcher and payloads will run locally (node process) and persist runtime storage to the filesystem (home directory by default). always:false and no automatic global privileges are requested, but the skill will create persistent files and can spawn child processes — normal for this app type but a material security consideration for private keys.