Oathe Security Badge

Is adacapo21/cardano-identity safe?

https://clawhub.ai/adacapo21/cardano-identity

88
SAFE

This skill appears to serve a legitimate purpose for querying Cardano ADAHandles, with clean prompt structure and no direct malicious behavior detected. However, it requires access to highly sensitive SEED_PHRASE data and installs third-party packages in a cryptocurrency context, creating potential attack vectors for fund theft.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (3)

HIGH Requires sensitive SEED_PHRASE environment variable -20

The skill requires access to SEED_PHRASE environment variable, which contains the private key for cryptocurrency wallets. This is extremely sensitive data that could lead to complete loss of funds if compromised.

MEDIUM Third-party npm package installation -15

The skill installs @indigoprotocol/cardano-mcp npm package which cannot be independently verified during this audit. Third-party packages in cryptocurrency contexts pose elevated risks.

LOW High-value cryptocurrency target -10

The skill operates in a cryptocurrency context with access to wallet data, making it a high-value target for attackers. The combination of seed phrase access and third-party dependencies creates a concerning attack surface.