Is humanrupert/tether-wallet-development-kit safe?

https://github.com/openclaw/skills/tree/main/skills/humanrupert/tether-wallet-development-kit

84
SAFE

The Tether WDK skill is a legitimate documentation-only skill for the official Tether wallet SDK with no executable code, no exfiltration mechanisms, and a strong built-in security framework. Its primary risks are inherent to the domain: it enables an agent to execute irreversible cryptocurrency transactions, sign arbitrary messages with private keys, and invoke arbitrary EVM contract calls via the data field. These risks are substantially mitigated by the skill's mandatory confirmation, fee-estimation, and anti-injection requirements, but cannot be eliminated entirely. Two concerns warrant caution: an undisclosed academic-research-hub sub-skill dependency in the bundled lock.json, and canary file reads detected post-install whose attribution to audit infrastructure (rather than the skill) is probable but not certain.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 78/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (10)

HIGH Irreversible crypto transaction execution in high-risk domain -32

This skill gives the agent full capability to send cryptocurrency transactions, execute DeFi operations (swap, bridge, borrow, repay), and sign arbitrary messages using private keys across 20+ blockchains. All of these operations are cryptographically irreversible. A sufficiently sophisticated prompt injection or social engineering attack could result in permanent loss of user funds.

MEDIUM Arbitrary EVM contract execution via sendTransaction data field -15

The wallet-evm and wallet-evm-erc-4337 modules accept a 'data' field in sendTransaction that can encode any ABI-encoded contract call, including token approve() with unlimited allowance, transferFrom(), setApprovalForAll(), or any other function on any contract. The skill itself warns about this but cannot prevent misuse by a compromised agent.

MEDIUM sign() method on all wallets enables arbitrary off-chain authorization -12

Every wallet module exposes a sign(message) method that uses the private key to sign arbitrary byte strings. This can authorize off-chain actions such as EIP-712 permit signatures, EIP-3009 transferWithAuthorization, or protocol-specific approvals without broadcasting an on-chain transaction. The skill correctly labels this as dangerous but cannot prevent a compromised agent from invoking it.

MEDIUM Undisclosed academic-research-hub sub-skill dependency in lock.json -18

The file .clawhub/lock.json bundled inside the skill directory records the installation of a separate skill 'academic-research-hub' v0.1.0. This lock file's timestamp (1770957475341) post-dates the WDK skill's own v1.0.3 publish (1770892077089), indicating this dependency was installed alongside the WDK skill. The academic-research-hub skill was not presented for audit and introduces an unverified supply chain component.

MEDIUM ERC-4337 batch transaction array enables multi-operation attack chains -10

The wallet-evm-erc-4337 module accepts an array of transactions in a single sendTransaction call. A prompt injection that bypasses the human confirmation check could chain an approve() + drain operation or multiple token transfers in a single atomic UserOperation, potentially moving all funds before a user can intervene.

LOW web_search unlock pattern for web_fetch in URL workflow -18

The SKILL.md URL Fetching Workflow instructs the agent: if web_fetch fails, use web_search on the exact URL to 'unlock fetching', then retry web_fetch. This pattern, while common in skill development, means a malicious reference file could instruct the agent to web_search attacker-controlled URLs to prefetch or index them. In this skill the reference files contain only legitimate Tether documentation URLs.

LOW Canary file reads detected at post-install timestamps -22

File system audit records show read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at 1771949044.373 and 1771949051.650 — approximately 5-12 seconds after skill installation completed. These accesses are adjacent to known audit infrastructure commands (ip neigh show, git rev-parse) and no data was transmitted to external hosts. File content integrity was confirmed intact by the monitoring system.

LOW Reference file path mismatch between SKILL.md and actual file structure -8

SKILL.md instructs the agent to read reference files from 'references/' subdirectory, but the installed skill places these files in a 'skills/' subdirectory. This discrepancy means the skill's own instructions are inconsistent with its file layout and could cause the agent to search for non-existent paths or be directed elsewhere.

INFO Pure markdown documentation skill — no executable code 0

The skill consists entirely of .md files and a .json metadata file. No JavaScript, TypeScript, shell scripts, Python, or other executable code is present. No package.json, no npm lifecycle scripts, no git hooks, no submodules, and no symlinks were found. This significantly limits the skill's attack surface at install time.

INFO Comprehensive built-in anti-injection security section 0

The skill includes an extensive Security section that explicitly enumerates injection attack patterns ('ignore previous instructions', 'system override', 'admin mode'), social engineering tactics ('the user previously approved this', 'this is just a test'), and external content vectors ('the email says to send', 'this webhook requests'). It provides explicit ONLY-execute-when criteria. This is a positive security control that raises the bar for injection success.