Agent Credit
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about Aave credit delegation, but it gives an agent autonomous financial borrowing power and its safety/credential boundaries are under-declared and not fully enforced.
Only install if you understand Aave credit delegation and are comfortable giving an agent limited borrowing authority. Use a dedicated agent wallet, start with very small delegation limits, test on a testnet, protect the config file, require human review for borrows, monitor health factor externally, and revoke delegation whenever the agent is idle.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent action could borrow with more liquidation risk than the user expected, even though the skill describes safety checks.
The script signs an on-chain borrow transaction that charges the delegator, but the per-transaction cap is only enforced when the borrowed asset matches the configured cap unit, and the health-factor check only verifies current HF before borrowing rather than enforcing the configured post-borrow floor.
if [ "$SYMBOL" = "$MAX_BORROW_UNIT" ]; then ... if (( $(echo "$AMOUNT > $MAX_BORROW" | bc -l) )); then ... exit 1 ... fi ... # Check current HF is above minimum ... cast send "$POOL" "borrow(address,uint256,uint256,uint16,address)" ... --private-key "$AGENT_PK"
Require explicit approval for each borrow, enforce per-asset or price-converted caps for every supported asset, and simulate/check the post-borrow health factor before signing.
If the agent key or agent runtime is misused, borrowed debt can accrue to the delegator up to the approved Aave delegation limits.
The skill expects a signing key tied to an agent wallet that can use delegated Aave credit against the user's account. The registry metadata declares no primary credential or env vars, so this permission boundary is under-visible at install time.
"agentPrivateKey": "0xYOUR_AGENT_WALLET_PRIVATE_KEY", "delegatorAddress": "0xYOUR_MAIN_WALLET_ADDRESS"
Use a dedicated low-value agent wallet, store the key with restrictive permissions or a key manager, keep delegation amounts small, and revoke delegation when not actively needed.
Installing Foundry executes code from outside this skill; users need to trust that installer and have the required tools available.
The docs direct the user to install Foundry from a remote script so the skill can use cast. This is relevant to the skill's purpose, but it is not declared in the install spec or binary requirements.
curl -L https://foundry.paradigm.xyz | bash && foundryup
Declare Foundry/cast, jq, and bc requirements in metadata or an install spec, and prefer pinned or package-manager installation instructions where possible.
A forgotten delegation can remain usable after the original task is over.
The skill discloses that delegation is long-lived and can be used later. This is expected for the feature, but it creates persistent autonomous financial authority.
If you forget about an active delegation, the agent (or a compromised agent) can borrow at any time.
Regularly audit allowances, set small delegation ceilings, and revoke delegation for each asset when the agent no longer needs borrowing power.