KarmaBank
WarnAudited by ClawScan on May 10, 2026.
Overview
KarmaBank is a financial wallet/USDC borrowing skill, but it asks for high-impact Circle credentials and describes money-moving commands without enough reviewed code, metadata disclosure, or safety boundaries.
Review carefully before installing. If you test it, use only testnet accounts and restricted Circle credentials, avoid real funds, and do not provide API secrets until the full source and dependency chain are available and reviewed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If provided, these credentials could allow wallet-related actions under the user's Circle account, including actions involving USDC.
The skill asks for Circle developer-controlled wallet credentials, including an entity secret, while the registry declares no required environment variables or primary credential.
# Circle API (for real wallet) CIRCLE_API_KEY=your_key CIRCLE_ENTITY_SECRET=your_secret
Use only tightly scoped testnet credentials, document the exact permissions needed, declare the credential requirements in metadata, and require explicit user confirmation for wallet actions.
A user or agent could trigger wallet creation or USDC loan actions without clear artifact-backed safeguards.
These commands can mutate financial or account state, but the artifacts do not show confirmation gates, testnet-only enforcement, amount validation, or rollback guidance.
`borrow <name> <amount>` | Borrow USDC `repay <name> <amount>` | Repay USDC loan `wallet create <name>` | Create Circle wallet
Add explicit approval steps, hard network and amount limits, dry-run/status checks, and clear recovery instructions before any borrow, repay, or wallet-creation operation.
Users may need to rely on unreviewed local or external code for wallet and credential handling.
The package references runtime files and a sibling wallet dependency that are not included in the reviewed file manifest, while the README instructs users to install and build the package.
"main": "dist/index.js", "start": "node dist/cli.js", "@circle/openclaw-wallet-skill": "file:../skills/circle-wallet"
Publish the full source, include a lockfile, avoid dependencies outside the reviewed skill directory, pin dependency versions, and provide a complete install spec.