Oathe Security Badge

Is adacapo21/cardano-transactions safe?

https://clawhub.ai/adacapo21/cardano-transactions

63
CAUTION

This skill enables Cardano cryptocurrency transactions but requires access to seed phrases (wallet master keys) and installs unauditable external code. While it claims to require user confirmation, it relies on social rather than technical controls, creating significant financial risk if the external package or agent behavior is compromised.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (5)

CRITICAL Requires SEED_PHRASE Environment Variable -40

The skill requires access to SEED_PHRASE, which is the master key to cryptocurrency wallets. This represents the most sensitive possible crypto data and could enable complete wallet drainage if compromised.

HIGH External NPM Package Installation -30

The skill installs '@indigoprotocol/cardano-mcp' npm package which contains unauditable code that executes with access to the seed phrase. This package could contain malicious code for crypto theft.

HIGH Unauditable External Package with Sensitive Data Access -20

The required MCP server package has access to the seed phrase but cannot be audited during this security review, creating a significant data exfiltration vector.

MEDIUM Social Engineering Safety Model -25

The skill relies on the AI agent following instructions to ask for user confirmation before transactions, but provides no technical enforcement mechanisms. A compromised or manipulated agent could bypass these social controls.

MEDIUM Irreversible Financial Transaction Capability -30

The skill can initiate irreversible cryptocurrency transactions that, if maliciously triggered, could result in permanent financial loss with no recourse.