Fund
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The wallet funding workflow depends on a third-party CLI package that could change over time.
The skill relies on running an external npm package at @latest, so the executed CLI code is not pinned to a reviewed version.
allowed-tools: ["Bash(npx awal@latest status*)", "Bash(npx awal@latest show*)", "Bash(npx awal@latest address*)", "Bash(npx awal@latest balance*)"]
Use this only if you trust the awal CLI source; a safer version would pin the CLI version or provide a clearer provenance/install specification.
The skill can expose wallet status, address, balance, and open a funding flow where the user may spend money.
The skill expects an authenticated wallet context and routes the user to a payment/onramp flow, which is sensitive financial account activity but matches the stated purpose.
Must be authenticated (`npx awal@latest status` to check) ... User completes payment through Coinbase Pay
Before completing any funding action, confirm the wallet address, amount, payment method, network, and Coinbase Pay page are correct.