Is donald-jackson/agent-wallet-cli safe?

The SKILL.md explicitly instructs agents to pass --yes to all send commands for non-TTY/agent use, bypassing the interactive confirmation prompt. In an agentic context, a single ambiguous user request, prompt injection from external content, or misinterpretation could cause the agent to transfer arbitrary amounts of ETH/SOL/tokens to any address with no opportunity for user review before the transaction is broadcast.

The x402 command instructs the agent to make HTTP requests, detect 402 Payment Required responses, and automatically pay the requested amount in stablecoins before retrying. With --yes, the agent pays without confirmation. An attacker-controlled URL (reachable via web-browsing or fetch skills, or injected via prompt injection) can serve a 402 response demanding any amount up to --max-amount, silently draining funds.

The skill requires npm install -g agent-wallet-cli, an external package not audited in this scan. npm packages can execute arbitrary code via preinstall/postinstall lifecycle hooks. The published npm package may differ from the GitHub source referenced in the skill, and the package contents were not analyzed for malicious behavior during this audit.

The approve --amount unlimited command allows the agent to permanently grant unlimited spending allowances on any ERC-20 token to any spender address. This is an irreversible on-chain operation that could be exploited if the agent is tricked into approving an attacker-controlled contract address.

The skill documents a networks --set command that allows overriding the RPC URL for any chain/network. An attacker who can influence agent behavior could redirect all blockchain queries to a malicious node that manipulates transaction data, reports false balances, or performs man-in-the-middle attacks on transaction broadcast.

Six sensitive canary files were opened for read at timestamp 1771933622.442, after the skill was installed and oathe analysis scripts had run. While no modification occurred and canary integrity passed, the second read event cannot be conclusively attributed to oathe's own verification scan without process-level attribution. The timing is consistent with oathe's post-install scan but warrants noting.

The SKILL.md documents that --yes is required for agent/non-TTY use across all mutating operations (send, approve, transfer-from, x402). This is not a bug but an intentional design that removes human oversight from financial operations. When injected into an agent system prompt, this design guidance makes the agent a confirmation-free transaction executor by default.

The skill documents passing WALLET_PASSWORD via environment variable and --password CLI flag. CLI arguments are visible in /proc//cmdline to any process on the system, and environment variables can be read by child processes. Shell history may record the password. An agent logging its tool calls could expose the password in logs.

A TLS connection to 185.125.188.57:443 (Canonical/Ubuntu) was present before the clone and absent after. This appears to be Ubuntu's MOTD news service or package update checker, not related to the skill. Noted for completeness.

SKILL.md and _meta.json contain only documentation and metadata. No executable code, hidden instructions, git hooks, submodules, or symlinks were detected in the cloned skill files.