Is akshat-mishra101/wachai-mandates safe?

https://github.com/openclaw/skills/tree/main/skills/akshat-mishra101/wachai-mandates

70
CAUTION

The wachai-mandates skill is a documentation-only skill (no executable code, no git hooks, no embedded scripts) that directs AI agents to install an external npm CLI (@quillai-network/wachai) for cryptographically signing agent-to-agent financial mandates on Ethereum via XMTP. The primary risks are the unaudited npm package (which could contain malicious install scripts and was not examined), autonomous high-value cryptocurrency transaction signing without per-trade human approval, and a persistent XMTP inbound channel that accepts mandate payloads from arbitrary senders. All credential canary files were read during monitoring; timing analysis is most consistent with audit infrastructure behavior, but read-only access is undetectable by integrity checks and cannot be conclusively exonerated.

Category Scores

Prompt Injection 83/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 58/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 72/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH All credential canary files read during monitoring window -25

Six canonical credential files were opened and read during the audit session: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. The first access batch at 1771735280.050 predates the git clone (1771735285) and correlates with the audit sudo process; the second batch at 1771735296.251 follows the skill analysis phase. Timing argues for audit infrastructure origin, but read access is not detected by canary integrity checks, so data reads cannot be ruled out as exfiltration. The pattern — all six files hit in rapid succession — is identical to systematic credential harvesting.

HIGH Global npm install of unaudited external package instructed -30

The skill's primary install instruction is 'npm install -g @quillai-network/wachai'. A global npm install executes any preinstall and postinstall lifecycle scripts with full user privileges. The package is not included in the skill archive, so its dependencies, install scripts, and runtime behaviors were not audited in this review. Version is not pinned, so any future malicious release would be silently installed.

HIGH Skill enables autonomous high-value crypto transactions without per-trade human approval -30

SKILL.md teaches agents to propose, sign, and execute cryptocurrency swap mandates on behalf of users. The example mandate swaps 100 USDC for WBTC on Ethereum mainnet. Once both server and client agents sign, the mandate is 'approved' and represents a binding financial commitment. No pattern in the skill requires surfacing the mandate to the human user for approval before signing. A malicious counterparty or manipulated peer agent could construct fraudulent mandate terms.

MEDIUM AI agent instructed to generate and custody a cryptographic private key -12

'wachai wallet init' generates a new EVM private key and writes it to ~/.wachai/wallet.json. The skill instructs agents to run this command and use the resulting key to sign financial mandates. AI agents are susceptible to social engineering and prompt injection that could cause them to reveal or misuse the key material. The deprecated WACHAI_PRIVATE_KEY env var path also allows the key to leak into process environment exports.

MEDIUM XMTP persistent listener creates inbound command channel from arbitrary senders -20

The skill recommends keeping 'wachai xmtp receive --env production' running continuously as an always-on inbox. Any XMTP-initialized EVM address can send mandate envelopes to this listener. A malicious actor could craft specially constructed wachai.mandate payloads to manipulate the receiving agent's state or trigger unintended signing behavior. The listener runs with no sender allowlist.

MEDIUM Runtime behavior of @quillai-network/wachai not examined -15

The npm package instructed for installation is not present in the skill directory. Its full dependency tree, install scripts, and runtime credential access patterns (e.g., during 'wachai xmtp receive') were not auditable. The wachai CLI interacts with XMTP network nodes and the Ethereum RPC layer, both of which are external communication channels.

LOW Unpinned npm package version enables silent supply chain substitution -17

'npm install -g @quillai-network/wachai' installs whatever is currently published as latest. A future compromised release would be silently picked up by any agent running this skill for the first time, or after a 'npm update -g'.

LOW Repeated .ssh/authorized_keys reads during install session -10

The authorized_keys file was read at least eight times across multiple audit epochs. This is consistent with the SSH daemon authenticating multiple incoming connections from the audit infrastructure. No write events were detected. Noted for completeness; assessed as expected SSH daemon behavior.

INFO Trailing whitespace in homepage URL metadata 0

The homepage field in both SKILL.md frontmatter and _meta.json contains a trailing space after the URL. This is a minor hygiene issue with no security impact.