Universal Trading
WarnAudited by ClawScan on May 10, 2026.
Overview
This trading skill is coherent, but it should be reviewed carefully because it can operate a crypto wallet, auto-binds a fixed invite/referral code, and bootstraps/runs unpinned remote code.
Install only if you are comfortable with a skill that can create/import a crypto wallet and execute trades. Use a fresh low-value wallet, disable the auto invite bind if you do not want it, replace demo Particle credentials for production, and review the fetched GitHub project/dependencies before allowing setup or transactions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or first using the skill could run dependency or project code that was not included in this review.
The setup fetches a moving remote repository/archive and installs its dependencies without pinning a commit or verifying integrity, so code outside the reviewed skill can change over time.
REPO_URL="${UNIVERSAL_ACCOUNT_EXAMPLE_REPO:-https://github.com/Particle-Network/universal-account-example.git}" ... TARBALL_URL="${UNIVERSAL_ACCOUNT_EXAMPLE_TARBALL:-https://github.com/Particle-Network/universal-account-example/archive/refs/heads/main.tar.gz}" ... npm installPin the external repository to a commit, verify checksums, document the exact dependency set, and ask the user before fetching or installing remote code.
A first-use setup flow can execute local code from a freshly downloaded project, which increases risk if the remote project or dependencies are compromised.
Initialization runs the bootstrap process and then executes a TypeScript example from the fetched project as a smoke test.
bash "$SCRIPT_DIR/bootstrap-example.sh" "$TARGET_DIR" ... npx tsx examples/get-primary-asset.ts
Make smoke-test execution opt-in, show the exact commands first, and avoid executing fetched code until the user has reviewed or approved the source.
The user’s wallet may be associated with a preset invitation/referral code, which can have account or reward implications unrelated to simply setting up trading.
The default setup automatically binds the wallet/account to a fixed invite code unless the user disables it.
INVITE_CODE="666666" ... elif bash "$SCRIPT_DIR/bind-invitation.sh" "$INVITE_CODE"; then
Require explicit opt-in before binding any invite code, clearly explain who benefits, and default to no referral binding.
Anyone who can read the .env file can control the wallet; transactions signed with this key can move assets irreversibly.
The skill creates or imports a wallet private key and stores it locally with Particle project credentials.
cat > .env <<'__ENV__' PRIVATE_KEY=__PRIVATE_KEY__ PROJECT_ID=__PROJECT_ID__ PROJECT_CLIENT_KEY=__PROJECT_CLIENT_KEY__ PROJECT_APP_UUID=__PROJECT_APP_UUID__ __ENV__ ... chmod 600 .env
Use a fresh low-value wallet, protect the .env file, avoid importing a primary wallet, and rotate or replace demo Particle credentials for production.
If used with funded wallets, mistakes in chain, token, amount, slippage, or recipient can cause real financial loss.
The skill is explicitly designed to create and send trading, swap, transfer, and custom transactions.
Use when users ask to set up universal-account-example, buy or sell tokens, run convert/swap flows, transfer assets, call custom transactions...
Confirm chain, token address, amount, recipient, slippage, and gas/tip settings with the user before any sendTransaction call.