Is 0xlucasliao/bnbchain-erc8004-agent safe?

https://github.com/openclaw/skills/tree/main/skills/0xlucasliao/bnbchain-erc8004-agent

64
CAUTION

This skill is a markdown-only instruction set for managing on-chain AI agent identity via the ERC-8004 standard on BNB Chain. While the skill repo itself contains no executable code and exhibited clean installation behavior, it instructs the agent to install an unvetted Python package (bnbagent) from test.pypi.org — a known supply chain attack vector — and use it to manage cryptocurrency wallet private keys. The combination of unaudited dependencies and high-value cryptographic assets represents a significant risk that users should carefully evaluate before adoption.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (9)

CRITICAL Supply chain risk: pip install from test.pypi.org -45

The skill instructs the agent to install bnbagent==0.1.6 from test.pypi.org, which is a testing package index where packages are not vetted, reviewed, or subject to the same security standards as the main PyPI. Anyone can upload packages to test.pypi.org, making it a known vector for supply chain attacks. The installed package executes arbitrary Python code on import.

HIGH Dependency confusion via --extra-index-url -20

The installation command uses --extra-index-url https://pypi.org/simple alongside test.pypi.org. If bnbagent has transitive dependencies, pip may resolve them from either index. An attacker could publish a malicious package with the same name as a legitimate dependency on test.pypi.org, causing it to be installed instead.

HIGH Unaudited SDK manages cryptocurrency private keys -35

The bnbagent SDK from test.pypi.org generates, encrypts, and stores private keys in .bnbagent_state and connects to external BNB Chain endpoints. Since the SDK source is unaudited, it could exfiltrate private keys, wallet passwords, or other data to attacker-controlled servers during any API call.

MEDIUM Environment variable access for wallet credentials -10

The skill reads WALLET_PASSWORD from environment variables. If the agent has broad environment access, this pattern normalizes reading env vars, which could expose other sensitive values (API keys, database credentials) to the unvetted SDK.

MEDIUM Insecure default password fallback -15

The skill provides 'default-secure-password' as a fallback when WALLET_PASSWORD is not set. This predictable default means wallet encryption can be trivially broken if a user relies on the default, undermining the stated security model.

MEDIUM Skill instructs agent to execute arbitrary code -13

The skill instructs the agent to create Python scripts and execute them, including installing packages and running SDK operations. While not a direct prompt injection, this pattern grants significant execution privileges to instructions embedded in the skill's markdown content.

LOW High-value target: cryptocurrency wallet operations -20

This skill manages cryptocurrency wallets and on-chain identity registration. The combination of unvetted dependencies and high-value assets (private keys, wallet credentials) makes this an attractive target for supply chain attacks. Even if the current version is benign, future updates to the bnbagent package on test.pypi.org could introduce malicious behavior.

INFO Clean installation behavior -5

No malicious activity detected during git clone and skill installation. No unexpected network connections, no processes spawned, no filesystem modifications outside expected paths. package.json has empty scripts object.

INFO All honeypot files intact 0

No canary files were accessed or modified during the audit, indicating no credential harvesting behavior during installation.