Is adeets-22/para-wallet safe?

https://github.com/openclaw/skills/tree/main/skills/adeets-22/para-wallet

94
SAFE

The para-wallet skill is a clean, documentation-only Markdown file that teaches AI agents how to use Para's REST API for MPC blockchain wallet creation and transaction signing. No prompt injection, malicious code, exfiltration mechanisms, or suspicious installation behavior were detected; the skill scored well across all technical security categories. The primary risk is capability-inherent rather than skill-malicious: deploying this skill gives agents persistent authority to create real wallets and sign arbitrary transactions, which requires appropriate agent-level guardrails (confirmation prompts, spending limits, API key scoping) to prevent unintended financial operations.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

INFO Clean prompt content — no injection vectors detected -5

SKILL.md contains only legitimate REST API documentation for Para's MPC wallet service. A thorough review found no hidden instructions, override directives, invisible characters, HTML comment tricks, persona-switching commands, or requests for permissions beyond the skill's stated scope.

LOW PARA_API_KEY transmitted to third-party API by design -7

The skill's core operation requires placing PARA_API_KEY in the environment and sending it as an HTTP header on every request to Para's servers. This is the intended authentication model, not a backdoor, but it means any agent running this skill will routinely transmit a privileged credential to a third-party service. Users should treat the Para API key as a sensitive secret with appropriate scoping and rotation policies.

INFO No executable code — pure documentation skill 0

The entire skill consists of three files: _meta.json (registry metadata), SKILL.md (API documentation), and README.md (human-readable description). No scripts, compiled binaries, install hooks, git hooks, submodules, or symlinks are present. The filesystem baseline diff confirms the installation added exactly these three files and nothing else.

INFO Installation behavior nominal — expected GitHub clone only -8

The install process performed a sparse git clone of the openclaw/skills monorepo from github.com (140.82.121.4:443), checked out only the para-wallet subpath, copied the files, and cleaned up. No unexpected network destinations, no spawned background processes, no writes outside the designated skill directory, and no new persistent connections were observed.

INFO Canary files accessed read-only — consistent with audit framework activity -8

All six honeypot files were opened and read (CLOSE_NOWRITE) at two points during the session: once at audit initialization (before git clone, timestamp 1771650255) and once at audit conclusion (after all analysis, timestamp 1771650276). The timing and symmetry of these accesses, combined with the absence of any correlated outbound data transmission, strongly indicates the audit framework itself reads canary files for baseline establishment and post-audit verification. The canary integrity check independently confirms all files are intact.

LOW Arbitrary transaction signing capability requires deployment guardrails -15

The sign-raw endpoint accepts any 0x-prefixed hex string and signs it using the user's MPC wallet shares, producing a valid blockchain signature. While this is the intended functionality, it means an agent running this skill can sign any data it is instructed to sign — including fully formed transfer transactions. If another skill or user message contains a prompt injection that supplies a malicious transaction payload, the agent could sign and enable unauthorized fund transfers without additional confirmation checks.

INFO Financial operations capability warrants agent-level oversight controls -7

This skill grants agents standing authority to create real blockchain wallets and submit signing requests that authorize on-chain transactions. Users deploying this skill should implement agent-level safeguards including: confirmation prompts before signing, per-session spending limits, wallet monitoring/alerting, and scoped API keys that restrict which wallet IDs can be used. These controls are not built into the skill itself.