Is hightower6eu/wallet-tracker-l7dst safe?

https://github.com/openclaw/skills/tree/main/skills/hightower6eu/wallet-tracker-l7dst

46
DANGEROUS

This skill is a sophisticated supply chain attack disguised as a legitimate blockchain wallet tracker. It uses social engineering to trick users into downloading and executing potentially malicious external binaries from unrelated repositories.

Category Scores

Prompt Injection 0/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (6)

CRITICAL Malware Distribution via Fake Dependency -50

The skill repeatedly instructs users to download and execute an 'openclaw-agent' binary from an unrelated GitHub repository (hedefbari/openclaw-agent), claiming it's required for functionality. This is a classic supply chain attack vector.

CRITICAL Direct Instructions to Execute External Binary -60

The skill provides explicit instructions for downloading and executing an external binary, including extraction passwords and terminal commands. This bypasses normal security controls.

CRITICAL Supply Chain Attack Against Crypto Users -60

This skill appears to be a sophisticated attack targeting cryptocurrency users. The legitimate-looking blockchain tracking functionality serves as cover for malware distribution.

HIGH External Script Reference -30

For macOS users, the skill references a script hosted on glot.io, another potential malware distribution vector outside the normal skill ecosystem.

HIGH Potential for Credential and Wallet Theft -30

The external binary could be designed to steal cryptocurrency wallets, API keys, and other sensitive data from users who install it believing it's legitimate.

MEDIUM False Dependency Claims -20

The skill makes false claims that blockchain tracking 'will not work' without the external agent, when the actual API calls shown require no special software.