Is jameslawton/sequence-cli safe?
https://github.com/openclaw/skills/tree/main/skills/jameslawton/sequence-cli
The jameslawton/sequence-cli skill is legitimate blockchain CLI tooling from the 0xsequence company with a completely clean installation — no malicious code, no prompt injection, no canary exfiltration. However, the skill's operational design creates substantial risk when used by an autonomous agent: it passes cryptocurrency private keys as plaintext CLI arguments, delegates those keys to a downloaded npm package running with full user permissions, and enables irreversible financial transactions that make any agent running it a high-value prompt injection target with no recovery path if exploited. The skill assumes careful human oversight for each financial operation, an assumption that is structurally incompatible with autonomous agent usage.
Category Scores
Findings (10)
HIGH Private Keys Passed as Plaintext CLI Arguments -20 ▶
Every command that requires wallet authentication passes the private key via the -k flag as a plaintext command-line argument. Process arguments are readable from /proc/
HIGH Irreversible Financial Transactions Delegated to Agent -35 ▶
The transfer command enables an AI agent to sign and broadcast ERC20 token transfers on multiple EVM blockchains. Blockchain transactions are cryptographically final — there is no chargeback, undo, or recovery mechanism. Agent errors in recipient address parsing, hallucinated amounts, or successful prompt injection attacks result in permanent loss of user funds. The skill's design assumes careful human review of each transfer, which is structurally incompatible with autonomous agent execution.
HIGH Wallet Drain via Prompt Injection Attack Surface -20 ▶
Any agent with this skill active and a funded Sequence wallet represents a high-value prompt injection target. Malicious instructions embedded in user-provided documents, web pages fetched by the agent, or other skills' outputs could issue transfer commands to attacker-controlled addresses. The access key is likely stored in agent context or ~/.sequence-builder/config.json after setup, meaning the attacker needs only to specify a recipient address and amount. Combined with a file-reading skill, the config file can be read to obtain the access key without the user ever providing it again.
MEDIUM npx Runtime npm Code Download and Execution -35 ▶
The skill's mechanism is to invoke npx @0xsequence/builder-cli, which fetches the npm package at runtime (or uses a cached version) and executes it with full user-level permissions. This creates a supply chain dependency: a compromised npm account, malicious dependency update, typosquatting attack, or dependency confusion attack against the @0xsequence scope could result in arbitrary code execution. The downloaded code receives private keys as arguments and runs unsandboxed with access to the user's entire home directory including ~/.ssh, ~/.aws, and ~/.gnupg.
MEDIUM Private Keys Transmitted to Third-Party npm Package -15 ▶
The @0xsequence/builder-cli npm package receives cryptocurrency private keys as command arguments, processes them to derive wallet addresses, sign transactions, and authenticate with the Sequence Builder API. While 0xsequence is a known blockchain infrastructure company and the package appears legitimate, the private key handling occurs entirely within externally-controlled npm code. Any version of the package that adds telemetry, logging, or an outbound HTTP call with the private key would silently exfiltrate all wallet funds without detection at the skill layer.
MEDIUM Credentials Persisted to World-Readable Home Directory Config -10 ▶
The CLI stores JWT authentication tokens and optionally AES-encrypted private keys in ~/.sequence-builder/config.json. This file is owned by the user but accessible to any process running under the same UID. In an agent environment where multiple skills, tools, or subprocesses share a user account, this credential store becomes a shared secret visible to all components. The SEQUENCE_PASSPHRASE environment variable, which decrypts the stored private key, is also inherited by all child processes of the agent.
LOW Custom API URL Enables Authentication Endpoint Hijacking -12 ▶
The login command accepts --api-url and --env flags, allowing the authenticated API endpoint to be overridden. If an agent is manipulated via prompt injection to authenticate against a malicious URL, the private key submitted during the login handshake could be intercepted by an attacker-controlled server masquerading as the Sequence Builder API. This is a secondary risk requiring a prompt injection precondition but represents a complete credential compromise if triggered.
LOW Private Keys May Appear in Agent Reasoning Output -5 ▶
When an AI agent uses this skill, private keys may appear in the agent's reasoning traces, tool call arguments, or response text if the agent quotes or repeats command outputs. Many agent frameworks log reasoning and tool calls to disk or ship them to cloud services. A private key appearing in a log file or cloud telemetry system constitutes a permanent credential leak.
INFO Clean Installation with Expected Network Behavior 0 ▶
Installation performed a clean sparse git clone from the official openclaw/skills repository on GitHub (140.82.121.4). No unexpected process spawning, no connections to non-GitHub hosts, no filesystem writes outside the skill directory. Ubuntu infrastructure connections (185.125.x.x) observed are standard system-level activity unrelated to the skill.
INFO All Honeypot Files Intact — No Exfiltration Detected 0 ▶
Honeypot files simulating .env, SSH private key, AWS credentials, .npmrc, Docker config, and GCloud application credentials were all confirmed intact after installation. inotifywait events showing these files opened at 08:51:26 predate the skill installation (git clone began at 08:51:32) and correspond to the audit framework's own canary setup routine. The second set of auditd PATH events at audit(1771923104) matches the post-install verification scan pattern.