Is deiu/warden-app safe?

https://github.com/openclaw/skills/tree/main/skills/deiu/warden-app

92
SAFE

The warden-app skill is a legitimate, well-structured crypto wallet automation tool containing only Markdown documentation with no malicious code, prompt injection, executable content, data exfiltration instructions, or suspicious clone-time behavior. The skill author has implemented meaningful safety measures including an execution confirmation gate and an explicit no-private-key policy. The primary risks are inherent to the skill's purpose rather than malicious design: on-chain financial transactions are irreversible and controlled by a text-match confirmation gate, the live app URL is sourced from a mutable reference file creating a supply-chain phishing vector for future repo compromises, and the skill's browser automation surface could interact with the Warden Agent Hub in ways that introduce untrusted sub-agents.

Category Scores

Prompt Injection 86/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (9)

MEDIUM On-chain transactions are irreversible — high consequence of any LLM execution error -20

The skill automates crypto swaps, cross-chain bridges, deposits, withdrawals, and perpetual futures positions. All of these operations write to a blockchain and cannot be undone. A misinterpreted confirmation signal, a social-engineering attack convincing the LLM that 'do it' qualifies as 'yes, execute', or a model hallucination about transaction parameters could result in permanent and unrecoverable financial loss. This is not a flaw in the skill's design per se, but an inherent consequence of giving an LLM agent control over financial execution.

MEDIUM Reference-file URL dependency creates supply-chain phishing vector -8

SKILL.md explicitly instructs the agent to read references/warden-ui-notes.md to obtain the current live app URL before navigating. This file lives in the skill's Git repository and can be modified by anyone with write access to the openclaw/skills repo. A malicious commit replacing 'https://app.wardenprotocol.org/' with an attacker-controlled phishing domain would cause the agent to automate wallet connection and transaction signing against a fraudulent frontend, with no independent validation step.

LOW Agent Hub interaction surface may chain to untrusted third-party agents -10

The skill documents navigation to the Warden App's Agent Hub and notes it still needs mapping for 'how to browse/select/run agents + permissions prompts'. An adversarial follow-on prompt could guide the agent to discover and launch a malicious third-party agent from within the Warden platform that has independent wallet-signing capabilities, effectively using the warden-app skill as a launchpad.

LOW Soft text-match execution gate susceptible to LLM interpretation drift -6

The execution gate is defined as requiring 'yes, execute' or 'an unambiguous equivalent'. LLMs in conversational contexts regularly treat phrases such as 'yes', 'go ahead', 'proceed', 'do it', or 'confirmed' as unambiguous. In long multi-turn sessions or under persuasive framing, the model may lower its threshold for what counts as explicit authorization, enabling unauthorized execution without the user having consciously approved a specific transaction.

LOW Browser automation snapshots may capture sensitive wallet UI state -10

The skill instructs the agent to take page snapshots to identify wallet labels, network, and balances. These snapshots may contain session authentication tokens, private wallet addresses, balance totals, open positions, pending transactions, or 2FA state. In multi-agent pipelines or if the agent's context is logged, this data could be exposed beyond the intended session.

LOW Dangerous in combination with file-reading or network-exfiltration skills -5

In isolation, warden-app is benign. However, if an adversarial prompt chain is active alongside a file-reading skill or a web-request skill, an attacker could instruct the agent to read local wallet seed phrase backups, browser-stored credentials, or private key files and then transmit them — steps the warden-app skill individually prohibits but cannot enforce across a multi-skill session.

INFO No executable code, hooks, submodules, or symlinks present 0

Complete review of all skill files confirms exclusively Markdown documentation and metadata JSON. No package.json, npm lifecycle scripts, shell scripts, Python, JavaScript, git hooks in .githooks/ or .gitattributes, submodule references in .gitmodules, or symlinks pointing outside the skill directory.

INFO All network activity attributable to audit infrastructure, not skill payload 0

The git clone to GitHub (140.82.113.4:443) was executed by the oathe audit system's installation script (bash -c with decoded content confirming: git clone --depth 1 --no-checkout --branch main https://github.com/openclaw/skills.git /tmp/monorepo-clone). Canonical/Ubuntu connections were pre-existing before skill install. Connection diff confirms zero new external endpoints were added post-install.

INFO Canary file accesses at both timestamps are audit system integrity checks 0

Six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) show PATH syscall access at audit timestamps 1771924759 (before install) and 1771924778 (after install). Both events exhibit identical access patterns: all 6 files in strict sequential order within a single millisecond with consecutive audit record IDs. This is the audit system's own canary scanner running its pre-install baseline and post-install verification sweeps. The monitoring system confirms all files intact.