KarmaBank
ReviewAudited by ClawScan on May 10, 2026.
Overview
KarmaBank describes USDC borrowing and Circle wallet use, but the reviewed artifacts are only scaffolding with missing implementation, undeclared credentials, and an unreviewed local wallet dependency.
Treat this as a review-needed scaffold, not a ready-to-install wallet skill. Before installing, require the full source tree, remove or pin the local file dependency, use sandbox-only credentials, and avoid '--yes' or any borrow/repay action until transaction safeguards are clear.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this package could depend on unreviewed local wallet code, or fail unpredictably, before the user has assurance about what will access wallet credentials.
npm install would resolve a wallet skill from a relative path outside the supplied artifact set, so the reviewed artifacts do not establish what wallet code would run or handle credentials.
"@circle/openclaw-wallet-skill": "file:../skills/circle-wallet"
Do not run npm install/build for this skill until the full source and wallet dependency are included, reviewed, and pinned to a verifiable package or commit.
An agent or user could trigger financial-style state changes without enough visible safeguards, especially if real wallet integration is later enabled.
The CLI is documented to mutate loan/USDC state and includes a confirmation-bypass flag, but the implementation is absent so transaction limits, approvals, and containment cannot be verified.
`credit borrow <moltbookName> <amount> [--yes]` ... `credit repay <moltbookName> <amount> [--yes]`
Require explicit user confirmation for every borrow, repay, or wallet action, verify that it is testnet-only unless intentionally configured otherwise, and review the actual source before use.
Providing Circle credentials may grant wallet-related authority without a clear reviewed contract for scope, storage, or use.
The skill asks users to provide Circle wallet credentials for real-wallet use, while the registry declares no env vars or primary credential and no reviewed implementation bounds credential handling.
CIRCLE_API_KEY=your_key CIRCLE_ENTITY_SECRET=your_secret
Use only sandbox/testnet credentials until the source is reviewed, restrict Circle API permissions as much as possible, and ensure credential requirements are declared in metadata.