Is asgherali/usd1 safe?

https://github.com/openclaw/skills/tree/main/skills/asgherali/usd1

92
SAFE

This skill enables USD1/USDC token transfers via Wormhole. While technically sound and free of malware or explicit exfiltration, it introduces significant financial risk by handling private keys for blockchain transactions. The skill could be weaponized via prompt injection to steal user funds, or keys could be mishandled through logging. The testnet-only default provides some protection.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 98/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (3)

HIGH Private key handling risk -30

The skill accepts a privateKey parameter and uses it to sign blockchain transactions. If this key is logged, cached, or transmitted insecurely, funds could be stolen. While the skill itself isn't malicious, it enables high-risk operations.

MEDIUM Transaction data visible in logs -5

Transaction hashes and wallet addresses are returned in the response. If these logs are captured by the agent or external logging systems, they could expose financial activity.

LOW No sandboxing of financial parameters -5

The skill accepts amount, toAddress, and privateKey without validation that they come from a trusted source. A compromised prompt could trick the agent into transferring funds to an attacker-controlled address.