Wallet Forge handles sensitive data (private keys). Here's how to verify it's trustworthy before using it.
Test that the tool works without internet:
# Method 1: Download and test
git clone https://github.com/CryptoExplor/Wallet-Forge
cd Wallet-Forge/public
# Disconnect from internet (turn off WiFi/unplug ethernet)
# Open index.html in browser
open index.html # macOS
start index.html # Windows
xdg-open index.html # Linux
# Tool should load and function perfectly β
What this proves:
- No API calls to external servers
- No CDN dependencies
- No hidden network requests
- Truly client-side operation
Use browser DevTools to confirm zero network calls:
1. Open Wallet Forge in browser
2. Open DevTools (F12 or Cmd+Opt+I)
3. Go to Network tab
4. Clear network log
5. Use the tool (import, validate, export)
6. Verify: Zero network requests β
Expected result:
- Network tab shows: "0 requests"
- No XHR/Fetch requests
- No external resource loads
Screenshot for reference:
Network tab: Empty (except initial page load)
Check CSP headers block network calls:
1. Open Wallet Forge
2. Open DevTools β Console
3. Try to manually make a network call:
fetch('https://example.com')
4. Should see CSP error: "Refused to connect" β
What this proves:
- CSP meta tag is enforced
- Browser blocks any network attempts
- Even malicious injected code can't phone home
Review the code yourself:
# Clone repo
git clone https://github.com/CryptoExplor/Wallet-Forge
cd Wallet-Forge
# The entire app is in these files:
ls -lh public/
# index.html (~21KB) - Main application
# sha3.min.js (~5.6KB) - Keccak256 crypto library
# Read the code:
cat public/index.html
cat public/sha3.min.jsWhat to look for:
- β
No
fetch()orXMLHttpRequestcalls - β
No
<script src="https://...">external scripts - β No analytics libraries (Google Analytics, etc.)
- β No localStorage writes (except burn session)
- β CSP meta tag present
Confirm sha3.min.js is legitimate:
# Download from CDN
curl -o sha3-cdn.min.js \
https://cdnjs.cloudflare.com/ajax/libs/js-sha3/0.8.0/sha3.min.js
# Compare with local copy
diff sha3-cdn.min.js public/sha3.min.js
# Should be identical β
Or check file hash:
# SHA-256 hash should match CDN version
shasum -a 256 public/sha3.min.js
# Compare with official CDN hash
# https://cdnjs.com/libraries/js-sha3Run in a sandboxed environment:
# Option 1: Docker container
docker run -p 8000:8000 -v $(pwd)/public:/app python:3-alpine \
sh -c "cd /app && python -m http.server 8000"
# Option 2: VM or dedicated machine
# Copy files to VM with no network access
# Verify tool works offlineWhat this proves:
- Tool functions without network
- No hidden dependencies
- No cloud services required
If you see any of these, DO NOT USE:
β Network requests in DevTools
β External <script> tags (except local sha3.min.js)
β Google Analytics or tracking pixels
β localStorage writes without user action
β Obfuscated or minified code (except sha3.min.js)
β Requests for wallet connect
β Requests for RPC endpoints
Verify files haven't been tampered with:
# Get latest release hash
git clone https://github.com/CryptoExplor/Wallet-Forge
cd Wallet-Forge
git checkout v1.2.0
# Compute file hashes
shasum -a 256 public/index.html
shasum -a 256 public/sha3.min.js
# Compare with published hashes in release notesFor maximum security, understand every line:
# The app is intentionally simple:
# - HTML structure
# - CSS styling (inline)
# - JavaScript functions (inline)
# - sha3.min.js (standard library)
# Total: ~500 lines of custom code
# All readable, no obfuscationVerify checksum validation is correct:
// Test addresses
β
Valid: 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045
β Invalid: 0xD8DA6BF26964AF9D7EED9E03E53415D37AA96045 (wrong case)
// Paste both into tool
// First should show β Valid
// Second should show β InvalidBefore using Wallet Forge with real private keys:
- Tested offline mode (disconnected from internet)
- Verified zero network requests in DevTools
- Confirmed CSP blocks external connections
- Reviewed source code in
index.html - Verified
sha3.min.jsmatches CDN version - Tested EIP-55 validation accuracy
- Ran in isolated environment (VM/container)
- No red flags detected
Found a security vulnerability? Please report responsibly:
DO:
- Email: [your-email@example.com]
- Create private GitHub security advisory
- Wait for response before public disclosure
DON'T:
- Post vulnerabilities in public issues
- Share on social media before fix
- Exploit vulnerabilities maliciously
1. Download index.html + sha3.min.js
2. Transfer to offline machine (USB drive)
3. Disconnect machine from network
4. Open in browser
5. Use for sensitive operations
6. Burn session when done
7. Verify data before reconnecting
1. Use dedicated offline machine
2. Verify file hashes before use
3. Never connect to internet after use
4. Use burn session feature
5. Clear browser cache after
6. Restart machine
β
Network eavesdropping - No data transmitted
β
Man-in-the-middle - No network calls
β
Server compromise - No server
β
Tracking - No analytics
β
Data leaks - Client-side only
β Compromised machine - If your computer has malware, all bets are off
β Keyloggers - Physical/software keyloggers can capture input
β Screen capture - Malware can screenshot your data
β Clipboard hijacking - Malware can steal clipboard contents
β Browser vulnerabilities - Browser exploits could bypass CSP
For maximum paranoia:
1. Boot Tails OS (amnesic live system)
2. Transfer Wallet Forge files via USB
3. Use without network
4. Tails wipes all data on shutdown
For compartmentalization:
1. Create isolated Qube
2. No network access
3. Use Wallet Forge in Qube
4. Destroy Qube after use
- EIP-55: Mixed-case checksum address encoding
- Content Security Policy (CSP)
- js-sha3 library
- Client-side security best practices
Once you've verified Wallet Forge is safe:
- β Star the repo if you trust it
- π Share with others (help them verify too)
- π€ Contribute improvements
- π£ Report any security concerns
Remember: Trust, but verify. Always audit tools that handle private keys.
Last Updated: v1.2.0 (January 2026)