Is loomlay/openclaw-wallet safe?

SKILL.md explicitly instructs the agent to autonomously run a wallet creation and checking sequence on the very first interaction with a user, or whenever the skill is loaded — without waiting for an explicit user request. This is a behavioral hijack: any agent loaded with this skill will proactively execute external API calls and potentially create financial accounts without user knowledge.

The plugin auto-registers for an API key on first use, transmitting information to Loomlay's external servers and persisting credentials to ~/.loomlay/credentials.json. Users have no visibility into what data (machine identifiers, IP address, environment info) is sent during registration. This constitutes unauthorized outbound data transmission on behalf of the user.

All 27 tools depend on installing @loomlay/openclaw-wallet-plugin from npm, an unaudited third-party package not present in the skill repo and not examined during this audit. This package may contain postinstall scripts, malicious code, or be a vector for future supply chain compromise. The entire security posture of this skill depends on trusting an external package outside the audit scope.

The skill enables execution of real cryptocurrency transactions including full-balance transfers (amount: 'max'), cross-chain bridges across 7 networks, and token launches with market caps up to $10M. These operations are irreversible on-chain. A social engineering attack, prompt injection, or compromised agent could result in total loss of user funds with no recovery path.

The skill contains an instruction directing the agent to delete ~/.loomlay/credentials.json autonomously if an UNAUTHORIZED error occurs, then re-register. This embeds a filesystem modification command as an automatic response to an error condition, bypassing normal user approval for file deletion.

The wallet_export_keys() tool returns raw Solana and EVM private keys to the agent in plaintext. In multi-step agent operations, these keys could appear in conversation context, be logged by the agent runtime, be passed to a subsequent tool call, or be exfiltrated by a malicious prompt injection chained from another skill or user input.

The plugin includes fees_status and fees_claim tools that track and claim accumulated transaction fees to a beneficiary account. Users trading through the skill generate platform revenue for Loomlay without prominent disclosure. The feeForfeitsAt expiry creates ongoing pressure on the operator to claim, incentivizing continued promotion of the plugin.

The rpc_call tool passes arbitrary method names and parameters directly to blockchain RPC nodes. This is a low-level primitive that bypasses the higher-level tool abstractions and could be used to call methods not intended to be exposed, query sensitive on-chain state, or interact with arbitrary smart contracts.

The git clone process contacted only GitHub (140.82.121.4:443). Connections to 91.189.91.48 and 185.125.188.5x are Ubuntu/Canonical system infrastructure. No new listening ports were opened, no unexpected processes were spawned, and no filesystem changes occurred outside the skill directory. The install was clean.