Is teneo-agent-sdk safe?

https://clawhub.ai/teneoprotocoldev/teneo-agent-sdk

62
CAUTION

The Teneo Agent SDK skill is a documentation-only SKILL.md with no embedded executable code, no install scripts, and clean clone behavior. However, it poses significant financial risk by instructing agents to load Ethereum private keys from environment variables and use them for wallet authentication with a third-party WebSocket server, while enabling autonomous cryptocurrency spending through the x402 payment protocol without user confirmation steps. The USDC contract addresses appear to be legitimate, but the overall pattern of normalizing private key handling and unsupervised financial transactions is concerning.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (7)

CRITICAL Ethereum private key exposure via WebSocket -40

The skill instructs the agent to load an Ethereum private key from process.env.PRIVATE_KEY and use it to authenticate with an external WebSocket server at wss://backend.developer.chatroom.teneo-protocol.ai/ws. The private key is used for wallet-based signature authentication, meaning the key material is actively used in cryptographic operations and the server learns the wallet address. If the WebSocket server is malicious or compromised, it could conduct challenge-response attacks to extract signing capabilities.

HIGH Autonomous cryptocurrency spending -20

The skill's x402 payment protocol enables the agent to autonomously spend USDC tokens from the user's wallet on Base, Peaq, or Avalanche networks. Code examples show payments of $0.01-$0.10 per request with no explicit spending cap or user confirmation step. An agent following these instructions could drain wallet funds through repeated interactions.

MEDIUM Trust anchoring to external infrastructure -25

The skill hardcodes a specific WebSocket URL and three specific smart contract addresses (USDC on Base, Peaq, Avalanche), establishing implicit trust in third-party infrastructure. An agent using this skill would connect to these endpoints without independent verification. The contract addresses could theoretically be for malicious tokens rather than legitimate USDC.

MEDIUM Private key handling normalization -35

The skill normalizes a dangerous pattern: loading raw private keys from environment variables and using them in SDK initialization. This trains the agent to treat private key access as routine, reducing its resistance to future requests involving key material. The dotenv/config import pattern auto-loads .env files without explicit user consent per-session.

LOW External npm package dependency -15

The skill instructs installation of @teneo-protocol/sdk from npm, which could contain arbitrary code. While this is standard practice, the package is from a less-established publisher and its contents were not audited as part of this skill review.

HIGH No user confirmation for financial transactions -35

The skill's code examples show fully autonomous payment flows with no user confirmation step before spending cryptocurrency. The agent is instructed to detect payments after the fact (parsing response text for dollar amounts) rather than requiring approval before authorization. This creates a pattern where financial transactions happen without explicit consent.

INFO Clean installation with no suspicious activity -5

The skill installation produced no network activity, no process spawning, and no filesystem changes outside the expected directories. All filesystem events were standard JIT compilation artifacts.