Oathe Security Badge

Is adacapo21/cardano-balances safe?

https://clawhub.ai/adacapo21/cardano-balances

71
CAUTION

This skill provides legitimate Cardano blockchain wallet functionality but requires extremely dangerous seed phrase access. While no overtly malicious behavior was detected, the security model creates unacceptable risk of cryptocurrency theft.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (3)

CRITICAL Requires cryptocurrency seed phrase access -80

The skill requires a SEED_PHRASE environment variable, which represents the master key to a cryptocurrency wallet. Seed phrases should never be shared with third-party applications as they provide complete control over wallet funds. This creates extreme security risk for users' cryptocurrency assets.

CRITICAL Dangerous cryptocurrency wallet access model -90

The fundamental architecture of requiring seed phrase access creates an unacceptable security risk. Any compromise of this skill, the MCP server, or the execution environment could result in immediate theft of all cryptocurrency funds. No legitimate wallet tool should require raw seed phrase access.

MEDIUM External package installation -20

The skill installs an external npm package '@indigoprotocol/cardano-mcp' which could contain arbitrary code. While the package name appears reasonable for Cardano functionality, external code installation always presents security risks.