Indigo Redemption
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill matches its Indigo Protocol purpose, but it relies on an unpinned external MCP package and can build unsigned financial transactions that users should verify before signing.
Before installing, confirm that you trust the Indigo MCP package and prefer a pinned version. When using the skill, review every generated transaction in your wallet before signing, especially amounts, assets, price limits, fees, and UTxO references.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong amount, asset, price limit, or UTxO could lead to an unwanted on-chain action after the user signs.
The skill can prepare transactions for opening, canceling, adjusting, claiming, and redeeming ROB positions; this is purpose-aligned but financially impactful if the user signs the transaction.
All write operations return an unsigned transaction (CBOR hex) for client-side signing.
Treat generated transactions as drafts and carefully verify the wallet signing screen, including asset, amount, max price, address, fees, and UTxOs before signing.
Running an unpinned npx package may execute whatever package version is resolved at install time.
The setup directs the user to execute an external npm MCP server without a pinned version in the skill artifacts; this is central to the skill but creates ordinary package provenance risk.
- Node.js 20+ - `@indigoprotocol/indigo-mcp` server running ```bash npx @indigoprotocol/indigo-mcp ```
Use a trusted source, pin or review a known version of @indigoprotocol/indigo-mcp, and do not grant wallet secrets or signing authority unless independently verified.