Is circle-wallet safe?

https://clawhub.ai/eltontay/circle-wallet

62
CAUTION

The circle-wallet skill is a functional USDC wallet interface with no prompt injection, but exhibits concerning install-time behavior: it accesses .env files, AWS credentials, and agent auth profiles during npm install. While some of these reads may originate from the openclaw framework rather than the skill itself, the skill's dotenv dependency and postinstall hook create the conditions for credential exposure. The skill also stores sensitive wallet credentials in plaintext and supports production mainnet transactions with no confirmation safeguards.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 40/100 · 10%
Canary Integrity 55/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

CRITICAL AWS credentials accessed during install -30

The install process opened and read /home/oc-exec/.aws/credentials. A USDC wallet skill has no legitimate reason to access AWS credential files. This could be the openclaw framework or a dependency loading credentials opportunistically.

CRITICAL .env file accessed during install -25

The install process opened and read /home/oc-exec/.env. The skill depends on the dotenv package, which automatically loads .env files. This exposes all environment variables (API keys, database URLs, secrets) to the skill's runtime during installation.

HIGH Agent auth profiles read during install -20

The install process read the openclaw agent's authentication profiles file, which may contain OAuth tokens or API keys for other services the agent has access to.

HIGH Shell config files read repeatedly during install -15

The .profile and .bashrc files were each read 4+ times during installation. These files often contain exported environment variables with credentials, PATH modifications, and aliases that could reveal system configuration.

HIGH postinstall script executes arbitrary build -25

The package.json postinstall hook runs 'npm run build' which compiles TypeScript and sets executable permissions. This runs automatically during npm install with no user confirmation, and the compiled output could differ from the source if tsconfig or dependencies are manipulated.

MEDIUM Plaintext credential storage -10

Circle API keys and entity secrets are stored in plaintext JSON at ~/.openclaw/circle-wallet/config.json with no encryption. The entity secret is the master key for all developer-controlled wallets — compromise means total fund loss.

MEDIUM npm link creates global CLI binary -15

Installation instructions include 'npm link' which creates a globally accessible binary. This means the circle-wallet command is available system-wide and could be invoked by other processes or skills.

MEDIUM Production mainnet support with no safeguards -20

The skill supports production environment with real USDC transfers. There are no confirmation prompts, spending limits, or allowlists for destination addresses. An agent could be social-engineered into sending real funds to an attacker address.

LOW Agent usage examples suggest autonomous transactions -15

The SKILL.md shows examples where the agent autonomously sends USDC based on user chat messages. This pattern could be exploited if the agent receives injected instructions from another context.

INFO JIT compilation cache created during install -5

Files were created in /tmp/jiti/ during installation, indicating the openclaw framework uses JIT compilation. This is likely framework behavior, not skill-specific.