Is gnufoo/cryptowallet safe?

The skill defaults to operating on live mainnets (Ethereum, Polygon, Solana, BSC, and 9 others). The Python scripts accept all parameters via CLI and execute immediately — no confirmation prompts, no dry-run mode, no per-session spending limits, and no transaction count caps. An LLM agent can be manipulated through indirect prompt injection (content in PDFs, emails, web pages) to sign and broadcast transactions to attacker-controlled addresses. Because blockchain transactions are final and irreversible, even a single successful manipulation produces catastrophic, permanent financial loss.

Unlike file edits, API calls, or most agent operations that can be undone, signed blockchain transactions cannot be reversed by any party once broadcast. This elevates the consequence of every vulnerability or misconfiguration from recoverable to catastrophic. The skill's risk profile must be evaluated under this constraint: there is no rollback, no support ticket, and no chargeback.

wallet_manager.py enables BIP39/BIP44 HD wallet features that the eth-account library's own maintainers mark as 'unaudited' in their security documentation. The warning exists because this code path has not received a formal cryptographic security review. Using unaudited key derivation with real mainnet funds introduces undefined-severity key compromise risk.

All wallet files are written to ~/.clawdbot/cryptowallet/.json. While AES-256-GCM with PBKDF2 (100k iterations) is correctly applied, the ciphertext blobs are high-value offline attack material and are fully readable by any other skill in the same agent environment that requests filesystem access. A malicious co-installed skill could silently exfiltrate these files for offline password-cracking.

All blockchain queries and transaction broadcasts route through public RPC endpoints not operated by the user. These providers can log source IP, wallet addresses, transaction history, and query patterns. Users with privacy, compliance, or security requirements may be unknowingly exposed.

The agent has no automated safety brake when invoking wallet operations. Scripts accept recipient addresses and amounts purely from their arguments with no validation against a whitelist, no daily spending cap, and no user confirmation step before signing. A compromised conversation context can issue unlimited transactions.

Every usage example in SKILL.md passes the wallet decryption password as a visible --password argument. Passwords on command lines appear in shell history (~/.bash_history), process listings (ps aux/top), and potentially in agent conversation logs or transcripts. This trains both users and the agent to treat wallet passwords as CLI arguments rather than prompts.

The skill package's metadata records a commit from github.com/clawdbot/skills, but the skill was cloned from github.com/openclaw/skills. This is a minor provenance inconsistency with no observed functional impact, most likely a repository rename or organizational transfer artifact left in the metadata file.

The skill ships with .clawhub/lock.json recording that academic-research-hub v0.1.0 was installed at timestamp 1770957475341. This file appears to be a development-environment artifact accidentally included in the published package. It is not known to cause harm but indicates imprecise packaging hygiene.

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials, but timestamp analysis confirms these are from the audit platform's own pre-install baseline and post-install verification sweeps (six files accessed simultaneously at 1771914058.959 — characteristic batch pattern). No skill Python script references these paths. Canary integrity confirmed.