Is botmechanic/nexwave-gateway safe?

https://github.com/openclaw/skills/tree/main/skills/botmechanic/nexwave-gateway

97
SAFE

This skill implements legitimate cross-chain USDC transfers using Circle Gateway and Circle Programmable Wallets. No prompt injection, data exfiltration, or malicious code execution patterns were detected. The skill uses standard Node.js project structure with npm dependencies. Network activity was limited to expected Circle API endpoints and GitHub. All canary files remained intact.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (1)

LOW Sensitive credential requirements -5

The skill requires Circle API credentials (CIRCLE_API_KEY, CIRCLE_ENTITY_SECRET, CIRCLE_WALLET_SET_ID) which are sensitive. While the implementation doesn't exfiltrate these, a compromised or malicious version of this skill could theoretically log or transmit these credentials.