Is chetan-guevara/fluora-balance safe?
https://github.com/openclaw/skills/tree/main/skills/chetan-guevara/fluora-balance
The fluora-balance skill is a transparent, functionally legitimate USDC balance checker for the Fluora wallet ecosystem. The SKILL.md contains no prompt injection, the code does what it claims, and no canary files were accessed by skill code. The primary concerns are that the script loads an entire cryptocurrency wallet configuration file (~/.fluora/wallets.json) into memory before extracting only the public address field, and that the skill requires npm install plus network-capable Node.js execution. The 'Fluora' application ecosystem is unverified, introducing uncertainty about the sensitivity of the wallet file being accessed.
Category Scores
Findings (7)
MEDIUM Full wallet config file loaded into JavaScript heap -25 ▶
check_balance.js reads the entire contents of ~/.fluora/wallets.json using fs.readFileSync and JSON.parse before extracting only the USDC_BASE_MAINNET.address field. The full parsed object (which typically contains private keys, encrypted keystores, or seed phrase derivatives in wallet applications) lives in the Node.js heap for the duration of the process. A compromised dependency or a future code change could trivially access and exfiltrate the full content.
MEDIUM Skill requires npm install and executes network-capable JavaScript -18 ▶
The skill instructs the agent to run 'npm install' followed by 'node check_balance.js'. npm install downloads packages from the public npm registry even with a lock file present. The resulting Node.js process has unrestricted network access through the ethers.js JsonRpcProvider. No npm lifecycle hooks (preinstall/postinstall/prepare) are present in package.json, which is a positive finding, but the execution model grants significant ambient authority.
LOW Wallet address transmitted to external Coinbase/Base RPC endpoint -13 ▶
The script connects to https://mainnet.base.org and calls the USDC contract's balanceOf function with the user's wallet address. While wallet addresses on public blockchains are inherently non-secret, transmitting the address to a third-party RPC provider reveals that this specific user controls this specific address. The endpoint is legitimate Base Mainnet infrastructure operated by Coinbase, but this represents an outbound data transfer of a home-directory-sourced value to an external party.
LOW Broad trigger conditions may activate skill outside intended context -15 ▶
The SKILL.md description lists broad activation phrases including 'wallet balance', 'USDC balance', and 'how much money they have in their Fluora account'. The first two phrases are generic enough to conflict with other wallet-related skills or to activate this skill when the user is asking about a different wallet entirely. This could result in ~/.fluora/wallets.json being read when the user intended a different balance query.
LOW Fluora application ecosystem is unverified; wallets.json provenance unknown -20 ▶
'Fluora' is not a widely recognized major cryptocurrency wallet application. The security posture of the Fluora application itself determines what ~/.fluora/wallets.json contains and how sensitive its contents are. If Fluora stores private keys or mnemonics in wallets.json (common in less security-hardened wallet apps), this skill's access pattern becomes higher risk. The skill also references a companion 'fluora-setup' skill that is not audited here.
INFO No persistence mechanisms or unexpected network connections during install 0 ▶
Installation was limited to a git clone from github.com and file copy to the skill directory. No cron jobs, systemd units, SSH authorized_keys modifications, or writes outside the designated install path were detected. The connection diff shows no new listening ports after install.
INFO No npm lifecycle hooks present 0 ▶
package.json contains no 'scripts' field. There are no preinstall, postinstall, prepare, or other npm hooks that would execute code during 'npm install'. This eliminates a common attack vector for malicious skill packages.