Megaeth Developer
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent MegaETH guide, but it includes high-impact wallet actions with unsafe or ambiguous defaults that users should review before use.
Install only if you are comfortable reviewing wallet actions carefully. Do not let an agent send transactions automatically; verify all recipients, token contracts, spender approvals, bridge addresses, and networks from official sources, prefer testnet first, and never expose private keys in chat or unreviewed helper scripts.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If followed as-is, an agent or user could send ETH or tokens without a final human confirmation of recipient, amount, gas, and network.
These are financial transfer examples that include `--yes`, which commonly bypasses interactive confirmation, despite the same file later saying to confirm before sending.
node src/transfer.js megaeth 0xRecipient 0.1 --yes --json ... node src/transfer.js megaeth 0xRecipient 100 0xFAfDdbb3FC7688494971a79cc65DCa3EF82079E7 --yes --json
Remove `--yes` from default examples and require explicit user confirmation before every transaction.
Following the examples could execute unreviewed local JavaScript for private-key handling or fund transfers.
The supplied artifacts are instruction-only and contain no `src/` code, but these wallet setup and transfer commands depend on relative helper scripts whose source is not included or pinned.
### Using evm-wallet-skill (CLI) ... node src/setup.js --json ... node src/transfer.js megaeth 0xRecipient 0.1 --yes --json
Package or clearly pin the helper source, document how to install the intended wallet CLI, and avoid relative `src/*.js` commands for fund-moving actions.
A malicious or compromised spender contract could spend all approved tokens of that type.
The generic ERC-20 approval example grants unlimited allowance to an arbitrary spender instead of scoping approval to the needed amount.
functionName: 'approve', args: [spenderAddress, maxUint256]
Approve only the exact required amount, verify the spender contract, show allowance details to the user, and recommend revoking unused approvals.
An agent or user may interact with the wrong token contract if they trust one of the conflicting addresses.
The skill gives two different hardcoded addresses for the same MEGA token, which is risky in a wallet and token-operations guide.
wallet-operations.md MEGA: 0x28B7E77f82B25B95953825F1E3eA0E36c1c29861; resources.md MEGA Token: 0x28B7E77f82B25B95953825F1E2eA0E36c1c29861
Remove duplicated hardcoded token addresses or resolve them from the official token list and block explorer at execution time.
The swap provider may learn wallet addresses, token pairs, amounts, and intended trades.
The Kyber integration sends wallet addresses and swap details to an external aggregator API, which is expected for swaps but still privacy-relevant.
const KYBER_API = 'https://aggregator-api.kyberswap.com/megaeth/api/v1'; ... sender: walletAddress, recipient: walletAddress
Tell users before sending wallet or trade data to Kyber and verify the API endpoint from official documentation.