registry  /  @agentlayer.tech/wallet  /  0.1.75

@agentlayer.tech/wallet@0.1.75

⚠ Under review

NPM installer for the OpenClaw Agent Wallet local runtime.

Static Scan Results

scanned 5d ago · by rust-scanner

Static analysis flagged 14 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
Manifest
NoLicense
scanned 16 file(s), 481 KB of source, external domains: agent-layer-production.up.railway.app, api.mainnet-beta.solana.com, api.morpho.org, eth-api.lido.fi, eth.drpc.org, li.quest, mainnet.base.org, sepolia.base.org, sepolia.drpc.org, trade-api.gateway.uniswap.org

Source & flagged code

6 flagged · loading source
README.mdView file
If you are an individual developer, researcher, student, security reviewer, or hobbyist, you can:
High
Ai Reviewer Manipulation

Package text addresses the security reviewer or scanner and tries to influence the review outcome.

README.mdView on unpkg
bin/openclaw-agent-wallet.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @agentlayer.tech/wallet@0.1.74 matchedIdentity = npm:QGFnZW50bGF5ZXIudGVjaC93YWxsZXQ:0.1.74 similarity = 0.938 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/openclaw-agent-wallet.mjsView on unpkg
2L3: import { spawn, spawnSync } from "node:child_process"; L4: import crypto from "node:crypto";
High
Child Process

Package source references child process execution.

bin/openclaw-agent-wallet.mjsView on unpkg · L2
535const result = spawnSync("command", ["-v", name], { L536: shell: true, L537: stdio: "ignore",
High
Shell

Package source references shell execution.

bin/openclaw-agent-wallet.mjsView on unpkg · L535
2717target_version: packageVersion, L2718: fix: `npm install --global ${packageJson.name}@${packageVersion}`, L2719: }; ... L2721: const packageSpec = `${packageJson.name}@${packageVersion}`; L2722: const result = spawnSync( L2723: installed.npm_bin,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/openclaw-agent-wallet.mjsView on unpkg · L2717
setup.shView file
path = setup.sh kind = build_helper sizeBytes = 2795 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

setup.shView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltabin/openclaw-agent-wallet.mjs
HighAi Reviewer ManipulationREADME.md
HighChild Processbin/openclaw-agent-wallet.mjs
HighShellbin/openclaw-agent-wallet.mjs
HighRuntime Package Installbin/openclaw-agent-wallet.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpersetup.sh
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNo License