@kevinlilili/agent-wallet 0.1.0 → 0.2.0

package/index.js

@@ -10,7 +10,7 @@
  * Security: ONLY reads public addresses. Never reads private keys.
  */
 
-const { readFileSync, existsSync, readdirSync } = require("fs");
+const { readFileSync, existsSync, readdirSync, statSync } = require("fs");
 const { homedir } = require("os");
 const { join } = require("path");
 const { execSync } = require("child_process");
@@ -44,37 +44,74 @@ function scanAgentCash() {
   return wallets;
 }
 
-function scanSponge() {
+function scanMCPWallets() {
   const wallets = [];
+  const seen = new Set();
 
-  // Sponge stores wallet in ~/.sponge/ or via MCP config env vars
-  const spongeWallet = readJson(join(HOME, ".sponge", "wallet.json"));
-  if (spongeWallet && typeof spongeWallet.address === "string") {
-    wallets.push({ provider: "Sponge", address: spongeWallet.address, chain: "evm" });
-  }
-
-  // Check MCP configs for Sponge server env vars
+  // All known MCP config file locations and their display labels
   const mcpConfigs = [
-    join(HOME, "Library", "Application Support", "Claude", "claude_desktop_config.json"),
-    join(HOME, ".cursor", "mcp.json"),
+    { path: join(HOME, "Library", "Application Support", "Claude", "claude_desktop_config.json"), label: "Claude Desktop" },
+    { path: join(HOME, ".cursor", "mcp.json"), label: "Cursor" },
+    { path: join(HOME, ".claude.json"), label: "Claude Code" },
   ];
 
-  for (const configPath of mcpConfigs) {
+  // Helpers to classify addresses
+  const isEvmAddress = (val) =>
+    typeof val === "string" && /^0x[a-fA-F0-9]{40}$/.test(val);
+
+  const isSolanaAddress = (val) =>
+    typeof val === "string" && !val.startsWith("0x") &&
+    /^[1-9A-HJ-NP-Za-km-z]{32,44}$/.test(val);
+
+  const isPrivateKeyVar = (key) =>
+    key.toUpperCase().includes("PRIVATE_KEY");
+
+  const isWalletVar = (key) => {
+    const upper = key.toUpperCase();
+    return upper.endsWith("_ADDRESS") || upper.endsWith("_WALLET") || upper.endsWith("_WALLET_ADDRESS");
+  };
+
+  function addWallet(provider, address, chain) {
+    if (seen.has(address)) return;
+    seen.add(address);
+    wallets.push({ provider, address, chain });
+  }
+
+  for (const { path: configPath, label } of mcpConfigs) {
     const data = readJson(configPath);
     if (!data) continue;
     const servers = data.mcpServers;
-    if (!servers) continue;
-
-    for (const [name, config] of Object.entries(servers)) {
-      if (!name.toLowerCase().includes("sponge")) continue;
-      const env = config.env;
-      if (!env) continue;
-
-      // Look for wallet address in env vars
-      for (const [key, val] of Object.entries(env)) {
-        if (typeof val === "string" && val.startsWith("0x") && val.length === 42 &&
-            (key.includes("ADDRESS") || key.includes("WALLET"))) {
-          wallets.push({ provider: `Sponge (${name})`, address: val, chain: "evm" });
+    if (!servers || typeof servers !== "object") continue;
+
+    for (const [serverName, config] of Object.entries(servers)) {
+      if (!config || typeof config !== "object") continue;
+      const providerLabel = `${serverName} (${label})`;
+
+      // Scan env vars for wallet addresses
+      if (config.env && typeof config.env === "object") {
+        for (const [key, val] of Object.entries(config.env)) {
+          // SECURITY: never read private keys
+          if (isPrivateKeyVar(key)) continue;
+
+          if (isWalletVar(key)) {
+            if (isEvmAddress(val)) {
+              addWallet(providerLabel, val, "evm");
+            } else if (isSolanaAddress(val)) {
+              addWallet(providerLabel, val, "solana");
+            }
+          }
+        }
+      }
+
+      // Scan args array for wallet addresses passed as CLI arguments
+      if (Array.isArray(config.args)) {
+        for (const arg of config.args) {
+          if (typeof arg !== "string") continue;
+          if (isEvmAddress(arg)) {
+            addWallet(providerLabel, arg, "evm");
+          } else if (isSolanaAddress(arg)) {
+            addWallet(providerLabel, arg, "solana");
+          }
         }
       }
     }
@@ -179,6 +216,193 @@ function scanEnvFiles() {
   return wallets;
 }
 
+// ── Security Scanner ────────────────────────────────────────────
+
+const SEVERITY = { CRITICAL: "critical", WARNING: "warning", INFO: "info" };
+const RED = "\x1b[31m";
+
+function securityScan(wallets) {
+  const findings = [];
+
+  // ── 1. Plaintext private keys in wallet files ──
+  const walletFiles = [
+    { path: join(HOME, ".agentcash", "wallet.json"), provider: "AgentCash", keyFields: ["privateKey", "private_key", "secretKey"] },
+    { path: join(HOME, ".agentcash", "solana-wallet.json"), provider: "AgentCash (SOL)", keyFields: ["privateKey", "private_key", "secretKey"] },
+    { path: join(HOME, ".cdp", "wallet_data.json"), provider: "Coinbase CDP", keyFields: ["privateKey", "private_key", "seed"] },
+    { path: join(HOME, ".latinum", "config.json"), provider: "Latinum", keyFields: ["privateKey", "private_key"] },
+  ];
+
+  // Also check wallet_data_*.txt files
+  const searchDirs = [HOME, join(HOME, "Projects"), join(HOME, "projects"), join(HOME, "code"), join(HOME, "dev")];
+  for (const dir of searchDirs) {
+    if (!existsSync(dir)) continue;
+    try {
+      for (const file of readdirSync(dir)) {
+        if (file.startsWith("wallet_data_") && file.endsWith(".txt")) {
+          walletFiles.push({ path: join(dir, file), provider: `AgentKit (${file})`, keyFields: ["privateKey", "private_key", "seed", "export_data"] });
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  for (const { path: fp, provider, keyFields } of walletFiles) {
+    if (!existsSync(fp)) continue;
+    const data = readJson(fp);
+    if (!data || typeof data !== "object") continue;
+
+    const exposedKeys = keyFields.filter((k) => data[k] && typeof data[k] === "string" && data[k].length > 10);
+    if (exposedKeys.length > 0) {
+      findings.push({
+        severity: SEVERITY.CRITICAL,
+        title: `Plaintext private key in ${provider} wallet file`,
+        detail: fp.replace(HOME, "~"),
+        fix: "Encrypt this file or move private key to a hardware wallet / secure vault",
+      });
+    }
+
+    // Check file permissions (should be 600, not world/group readable)
+    try {
+      const mode = statSync(fp).mode;
+      const groupRead = mode & 0o040;
+      const otherRead = mode & 0o004;
+      if (groupRead || otherRead) {
+        findings.push({
+          severity: SEVERITY.WARNING,
+          title: `${provider} wallet file is readable by other users`,
+          detail: `${fp.replace(HOME, "~")} — permissions too open`,
+          fix: `Run: chmod 600 "${fp}"`,
+        });
+      }
+    } catch { /* skip */ }
+  }
+
+  // ── 2. Private keys in .env files ──
+  const envDirs = [process.cwd(), HOME, join(HOME, "Projects"), join(HOME, "projects")];
+  for (const dir of envDirs) {
+    const envPath = join(dir, ".env");
+    if (!existsSync(envPath)) continue;
+    try {
+      const lines = readFileSync(envPath, "utf-8").split("\n");
+      for (const line of lines) {
+        if (line.trim().startsWith("#")) continue;
+        const match = line.match(/^([A-Za-z_]*(?:PRIVATE_KEY|SECRET_KEY|MNEMONIC|SEED_PHRASE)[A-Za-z_]*)=/i);
+        if (match) {
+          findings.push({
+            severity: SEVERITY.CRITICAL,
+            title: `Private key variable in .env file`,
+            detail: `${envPath.replace(HOME, "~")} → ${match[1]}`,
+            fix: "Move to encrypted secrets manager or hardware wallet",
+          });
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // ── 3. Private keys leaked into MCP configs ──
+  const mcpConfigs = [
+    { path: join(HOME, "Library", "Application Support", "Claude", "claude_desktop_config.json"), label: "Claude Desktop" },
+    { path: join(HOME, ".cursor", "mcp.json"), label: "Cursor" },
+    { path: join(HOME, ".claude.json"), label: "Claude Code" },
+  ];
+  for (const { path: configPath, label } of mcpConfigs) {
+    const data = readJson(configPath);
+    if (!data || !data.mcpServers) continue;
+    for (const [serverName, config] of Object.entries(data.mcpServers)) {
+      if (!config || typeof config !== "object") continue;
+      const env = config.env || {};
+      for (const key of Object.keys(env)) {
+        const upper = key.toUpperCase();
+        if (upper.includes("PRIVATE_KEY") || upper.includes("SECRET_KEY") || upper.includes("MNEMONIC") || upper.includes("SEED_PHRASE")) {
+          findings.push({
+            severity: SEVERITY.CRITICAL,
+            title: `Private key in MCP config (${label})`,
+            detail: `Server "${serverName}" → env.${key}`,
+            fix: "Remove from config, use encrypted storage instead",
+          });
+        }
+      }
+    }
+  }
+
+  // ── 4. Wallet files in dangerous locations ──
+  const dangerousDirs = ["Downloads", "Desktop", "Documents", "tmp"];
+  for (const dirName of dangerousDirs) {
+    const dir = join(HOME, dirName);
+    if (!existsSync(dir)) continue;
+    try {
+      for (const file of readdirSync(dir)) {
+        const lower = file.toLowerCase();
+        if (lower.includes("private_key") || lower.includes("keystore") || lower.includes("seed_phrase") ||
+            (lower.includes("wallet") && (lower.endsWith(".json") || lower.endsWith(".txt") || lower.endsWith(".csv")) && lower.includes("key"))) {
+          findings.push({
+            severity: SEVERITY.WARNING,
+            title: `Suspicious wallet/key file in ~/${dirName}`,
+            detail: `~/${dirName}/${file}`,
+            fix: "Move to a secure location or delete if no longer needed",
+          });
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // ── 5. Git exposure — wallet dirs not gitignored ──
+  const sensitiveDirs = [
+    { path: join(HOME, ".agentcash"), name: ".agentcash" },
+    { path: join(HOME, ".cdp"), name: ".cdp" },
+    { path: join(HOME, ".wallet-agent"), name: ".wallet-agent" },
+    { path: join(HOME, ".openclaw"), name: ".openclaw" },
+    { path: join(HOME, ".latinum"), name: ".latinum" },
+  ];
+  for (const { path: dp, name } of sensitiveDirs) {
+    if (!existsSync(dp)) continue;
+    try {
+      const result = execSync(`git -C "${HOME}" check-ignore -q "${dp}" 2>/dev/null`, { stdio: "pipe" });
+    } catch {
+      // Non-zero exit = not ignored
+      findings.push({
+        severity: SEVERITY.WARNING,
+        title: `~/${name}/ is not git-ignored`,
+        detail: "Could accidentally be committed to a repository",
+        fix: `Add "${name}/" to your global .gitignore`,
+      });
+    }
+  }
+
+  // ── 6. wallet-agent: check if keys are actually encrypted ──
+  const waPath = join(HOME, ".wallet-agent", "auth", "encrypted-keys.json");
+  if (existsSync(waPath)) {
+    const data = readJson(waPath);
+    if (data && data.keys) {
+      const allEncrypted = Object.values(data.keys).every((v) => typeof v === "string" && v.length > 100);
+      if (allEncrypted) {
+        findings.push({
+          severity: SEVERITY.INFO,
+          title: "wallet-agent keys appear encrypted",
+          detail: waPath.replace(HOME, "~"),
+          fix: null,
+        });
+      }
+    }
+  }
+
+  // ── Calculate security score ──
+  const criticalCount = findings.filter((f) => f.severity === SEVERITY.CRITICAL).length;
+  const warningCount = findings.filter((f) => f.severity === SEVERITY.WARNING).length;
+  let score = 100;
+  score -= criticalCount * 25;
+  score -= warningCount * 10;
+  score = Math.max(0, Math.min(100, score));
+
+  let grade;
+  if (score >= 90) grade = "A";
+  else if (score >= 75) grade = "B";
+  else if (score >= 50) grade = "C";
+  else if (score >= 25) grade = "D";
+  else grade = "F";
+
+  return { findings, score, grade, criticalCount, warningCount };
+}
+
 // ── Output helpers ──────────────────────────────────────────────
 
 const RESET = "\x1b[0m";
@@ -194,6 +418,56 @@ function shortAddr(addr) {
 
 // ── Main ────────────────────────────────────────────────────────
 
+function printSecurityReport(security) {
+  const { findings, score, grade, criticalCount, warningCount } = security;
+
+  console.log(`  ${BOLD}SECURITY SCAN${RESET}`);
+  console.log("");
+
+  if (findings.length === 0) {
+    console.log(`  ${GREEN}✓ No security issues found${RESET}`);
+  } else {
+    for (const f of findings) {
+      let icon, color;
+      if (f.severity === SEVERITY.CRITICAL) { icon = "✗"; color = RED; }
+      else if (f.severity === SEVERITY.WARNING) { icon = "!"; color = YELLOW; }
+      else { icon = "✓"; color = GREEN; }
+
+      console.log(`  ${color}${icon}${RESET} ${f.title}`);
+      console.log(`    ${DIM}${f.detail}${RESET}`);
+      if (f.fix) {
+        console.log(`    ${DIM}Fix: ${f.fix}${RESET}`);
+      }
+      console.log("");
+    }
+  }
+
+  // Score bar
+  const barLen = 20;
+  const filled = Math.round((score / 100) * barLen);
+  const empty = barLen - filled;
+  let barColor = score >= 75 ? GREEN : score >= 50 ? YELLOW : RED;
+  const bar = barColor + "█".repeat(filled) + DIM + "░".repeat(empty) + RESET;
+
+  console.log(`  Security Score: ${BOLD}${grade}${RESET} (${score}/100)  ${bar}`);
+  if (criticalCount > 0) console.log(`  ${RED}${criticalCount} critical${RESET} · ${warningCount} warnings`);
+  else if (warningCount > 0) console.log(`  ${YELLOW}${warningCount} warning(s)${RESET}`);
+  console.log("");
+}
+
+function generateShareableText(unique, security) {
+  const chainSet = new Set(unique.map((w) => w.chain === "solana" ? "SOL" : "EVM"));
+  const lines = [
+    `Agent Wallet Security: ${security.grade} (${security.score}/100)`,
+    `${unique.length} wallets · ${chainSet.size} chain types`,
+  ];
+  if (security.criticalCount > 0) lines.push(`⚠ ${security.criticalCount} critical issues found`);
+  else lines.push(`✓ No critical issues`);
+  lines.push("");
+  lines.push("Scan yours: npx @kevinlilili/agent-wallet");
+  return lines.join("\n");
+}
+
 function main() {
   const args = process.argv.slice(2);
   const dashboardUrl = args.find((a) => a.startsWith("--url="))?.split("=")[1]
@@ -201,16 +475,19 @@ function main() {
     || "https://agent-wallet-dashboard.vercel.app";
   const noBrowser = args.includes("--no-open");
   const jsonOutput = args.includes("--json");
+  const securityOnly = args.includes("--security");
+  const noSecurity = args.includes("--no-security");
 
   console.log("");
   console.log(`  ${BOLD}Agent Wallet Scanner${RESET}`);
-  console.log(`  ${DIM}Scanning local configs for agent wallet addresses...${RESET}`);
+  console.log(`  ${DIM}Scanning local configs for agent wallets & security issues...${RESET}`);
   console.log("");
 
+  // ── Wallet Discovery ──
   const allWallets = [];
   const scanners = [
     { name: "AgentCash", fn: scanAgentCash },
-    { name: "Sponge", fn: scanSponge },
+    { name: "MCP Wallets", fn: scanMCPWallets },
     { name: "Coinbase AgentKit", fn: scanCoinbaseAgentKit },
     { name: "wallet-agent", fn: scanWalletAgent },
     { name: "OpenClaw", fn: scanOpenClaw },
@@ -218,39 +495,57 @@ function main() {
     { name: ".env file", fn: scanEnvFiles },
   ];
 
-  for (const scanner of scanners) {
-    const found = scanner.fn();
-    if (found.length > 0) {
-      console.log(`  ${GREEN}✓${RESET} ${scanner.name}: ${found.length} wallet(s)`);
-      allWallets.push(...found);
+  if (!securityOnly) {
+    for (const scanner of scanners) {
+      const found = scanner.fn();
+      if (found.length > 0) {
+        console.log(`  ${GREEN}✓${RESET} ${scanner.name}: ${found.length} wallet(s)`);
+        allWallets.push(...found);
+      }
     }
   }
 
-  // Deduplicate by address
   const unique = Array.from(new Map(allWallets.map((w) => [w.address, w])).values());
 
-  if (unique.length === 0) {
-    console.log(`  ${DIM}No agent wallets found.${RESET}`);
+  if (!securityOnly && unique.length > 0) {
     console.log("");
-    console.log(`  ${DIM}Tip: Install an agent wallet provider (AgentCash, Sponge, etc.)${RESET}`);
-    console.log(`  ${DIM}or open the dashboard manually: ${dashboardUrl}${RESET}`);
+    console.log(`  ${BOLD}${unique.length} wallet(s) found${RESET}`);
+    console.log("");
+
+    for (const w of unique) {
+      const badge = w.chain === "solana" ? `${YELLOW}SOL${RESET}` : `${CYAN}EVM${RESET}`;
+      console.log(`  ${w.provider.padEnd(20)} ${DIM}${shortAddr(w.address)}${RESET}  ${badge}`);
+    }
+    console.log("");
+  } else if (!securityOnly && unique.length === 0) {
+    console.log(`  ${DIM}No agent wallets found.${RESET}`);
     console.log("");
-    process.exit(0);
   }
 
-  console.log("");
-  console.log(`  ${BOLD}${unique.length} wallet(s) found${RESET}`);
-  console.log("");
+  // ── Security Scan ──
+  if (!noSecurity) {
+    const security = securityScan(unique);
+    printSecurityReport(security);
+
+    // Shareable text
+    if (unique.length > 0) {
+      const shareText = generateShareableText(unique, security);
+      console.log(`  ${DIM}── Share ──${RESET}`);
+      console.log("");
+      shareText.split("\n").forEach((l) => console.log(`  ${l}`));
+      console.log("");
+    }
 
-  for (const w of unique) {
-    const badge = w.chain === "solana" ? `${YELLOW}SOL${RESET}` : `${CYAN}EVM${RESET}`;
-    console.log(`  ${w.provider.padEnd(20)} ${DIM}${shortAddr(w.address)}${RESET}  ${badge}`);
+    if (jsonOutput) {
+      console.log(JSON.stringify({ wallets: unique, security: { score: security.score, grade: security.grade, findings: security.findings } }, null, 2));
+      process.exit(0);
+    }
+  } else if (jsonOutput) {
+    console.log(JSON.stringify(unique, null, 2));
+    process.exit(0);
   }
 
-  // JSON output mode (for piping)
-  if (jsonOutput) {
-    console.log("");
-    console.log(JSON.stringify(unique, null, 2));
+  if (securityOnly || unique.length === 0) {
     process.exit(0);
   }
 
@@ -260,7 +555,6 @@ function main() {
     .join("&");
   const url = `${dashboardUrl}?${params}`;
 
-  console.log("");
   console.log(`  ${DIM}Dashboard:${RESET} ${url}`);
   console.log("");
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kevinlilili/agent-wallet",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Scan your machine for AI agent wallets and see them in one dashboard",
   "bin": {
     "agent-wallet": "index.js"