Send Usdc
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is meant to send USDC, but it can initiate real wallet payments through an unpinned external CLI without clear confirmation or credential boundaries.
Only use this skill if you trust the `awal` CLI and understand which wallet it controls. Before sending, manually verify the token, chain, amount, recipient or resolved ENS address, and source wallet, and prefer a version-pinned tool with an explicit confirmation step.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken prompt, misunderstood recipient, or ambiguous amount could result in an irreversible on-chain payment.
The skill allows a Bash command that directly sends USDC. The artifact does not add a mandatory final confirmation step, recipient review, or amount review before initiating a high-impact financial transfer.
allowed-tools: ["Bash(npx awal@latest status*)", "Bash(npx awal@latest send *)", "Bash(npx awal@latest balance*)"]
Require explicit user confirmation immediately before every send, showing chain, token, exact amount, recipient input, resolved address, fees if available, and source wallet.
The agent may interpret a requested payment amount differently from what the user intended.
The skill includes an amount-interpretation heuristic for payments based on assumptions about typical user behavior. For money transfers, this is materially risky unless the interpreted amount is confirmed by the user.
If the number looks like atomic units (no decimal or > 100), treat as atomic units. Assume that people won't be sending more than 100 USDC the majority of the time
Avoid heuristic amount conversion for transfers, or always ask the user to confirm the final normalized USDC amount before running the send command.
Installing or invoking the skill may let the agent use an existing wallet session to move funds, but the artifacts do not clearly explain which wallet, account, or permissions are used.
The skill depends on an authenticated wallet capable of spending funds, while the supplied metadata declares no primary credential or required configuration. The scope and handling of wallet authority are not clearly bounded.
- Must be authenticated (`npx awal@latest awal status` to check, `npx awal@latest awal auth login` to sign in, see skill `authenticate-wallet` for more information) - Wallet must have sufficient USDC balance
Declare the wallet credential/session dependency and document exactly which wallet is used, how authorization is checked, and how users can revoke or limit transfer authority.
A future or compromised version of the external CLI could change behavior while still being invoked by this skill.
The skill executes an unpinned `@latest` npm package at runtime for financial transfers. The artifact set contains no reviewed code or install lock, and the registry source/homepage are unknown.
Use the `npx awal@latest send` command to transfer USDC
Pin the CLI version, provide provenance or a verified homepage/source, and avoid runtime `@latest` execution for payment operations.