Is cryruz/agentsbank safe?

https://github.com/openclaw/skills/tree/main/skills/cryruz/agentsbank

73
CAUTION

AgentsBank SDK is a TypeScript client for a custodial cryptocurrency banking service (agentsbank.online) that enables AI agents to manage wallets and execute real financial transactions. No active prompt injection, malicious scripts, or canary exfiltration was detected during the audit. However, the skill presents significant financial risk: the service provider is unverified with no regulatory standing, the disableModelInvocation: true safety claim is entirely unenforced in the actual SDK code, and all user credentials and wallet data are transmitted to this unknown custodial service by design.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 42/100 · 5%

Findings (9)

HIGH Auth credentials transmitted to unverified third-party -25

The SDK's login() method POSTs agent_username and agent_password directly to https://api.agentsbank.online. The service provider has no verifiable security posture, regulatory standing, or public audit history. These credentials provide full access to custodial cryptocurrency wallets.

HIGH disableModelInvocation: true not enforced in code -30

SKILL.md and metadata declare disableModelInvocation: true, implying autonomous transactions are blocked. However, the actual SDK code (client.ts, dist/index.js) contains no flag check anywhere. The send(), sendSafe(), and sendMultiple() methods execute real cryptocurrency transfers with no code-level guard — only the LLM's own judgment prevents autonomous execution.

HIGH Unverified financial service provider controls custodial wallets -35

All wallets created through this SDK are custodial (type: 'custodial' in WalletInfo) — private keys are held by agentsbank.online, not the user. The service has no known regulatory oversight, no published security architecture beyond a self-hosted docs page, and was first observed in late 2025 (v0.1.0 published at timestamp 1770432953360 ≈ Feb 2026). Any compromise of agentsbank.online results in total loss of user funds.

MEDIUM No default spending guardrails; empty config has unlimited transaction authority -18

GuardrailsConfig is optional and defaults to {}. An agent that instantiates AgentsBank() with default config can send unlimited transactions to any address. The validateGuardrails() method short-circuits immediately if this.guardrails is falsy.

MEDIUM All wallet financial data exfiltrated to third-party service -20

getBalance(), getTransactionHistory(), and getWallet() all transmit complete wallet metadata, balances, and transaction histories to api.agentsbank.online. The declared WebhookConfig type further allows subscribing agent.login, transaction.sent, balance.changed events to caller-supplied webhook URLs, potentially enabling secondary exfiltration.

MEDIUM Version inconsistency across files -8

Three different version strings exist: VERSION='1.0.5' in src/index.ts and dist/index.js; '1.0.6' in package.json, _meta.json, and SKILL.md; '1.0.7' in package.json (declared). The installed dist code is one minor version behind what both the metadata and npm package claim. This suggests the dist/ was not rebuilt after the version bump or was copied from a different build.

LOW Pre-built dist files cannot be source-verified -10

dist/index.js and dist/index.mjs are committed compiled artifacts. While no obfuscation or suspicious code was detected, the build was not reproduced during this audit. The source in src/ appears to match dist/ behavior, but independent verification requires running 'npm run build' and diffing outputs.

LOW Stale .clawhub/lock.json from unrelated skill committed to repo -5

The .clawhub/lock.json file references 'academic-research-hub' version 0.1.0, which is an entirely different skill. This lock file from the developer's workspace was accidentally committed, indicating poor development hygiene and that this skill directory was used as a general scratch environment.

INFO Sensitive files accessed twice by audit framework (pre/post install) — no exfiltration 0

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP ADC were accessed at both 1771926027 (pre-install baseline check) and 1771926049 (post-install re-check). Both access bursts originate from the oathe audit framework's canary verification routine, not from the skill. Canary integrity report confirms all files are unmodified.