Grand Bazaar Swap
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a real crypto swap workflow, but it gives the agent high-impact wallet authority and its execution script can approve tokens to a contract address taken from an order payload.
Only install or use this skill with low-value test wallets unless you fully understand the onchain effects. Before any transaction, manually verify the token addresses, amounts, fees, recipient, expiry, and especially the swap contract address against trusted deployments. Do not provide primary-wallet private keys, and require explicit confirmation before approvals, signatures, casts, or swaps.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mistaken order file could cause the wallet to approve and interact with an unexpected contract, putting tokens at risk.
The script reads an order payload, lets metadata choose the swap contract, then approves that address to spend the sender token and calls swap. The artifacts do not show an allowlist check limiting this to the documented AirSwap/Grand Bazaar contracts.
const fromMeta = payload?.meta?.verifyingContract || payload?.meta?.swapContract; if (fromMeta) return fromMeta; ... const tx = await senderToken.connect(sender).approve(swapAddress, total, ...); ... const tx = await swap.connect(sender).swap(recipient, maxRoyalty, orderForCall, ...);
Only execute orders after verifying the swap contract address against a trusted allowlist of deployed contracts; the script should reject unknown verifyingContract or swapContract values by default.
The agent could spend tokens, sign offers, or post offers faster than the user expects if the workflow is invoked with wallet credentials available.
The skill encourages quick default acceptance and proactive offer-making for mainnet swaps, but the quoted workflow does not require explicit user confirmation immediately before financial transactions or public posting.
When someone offers a swap and the price is clearly good value for you, default to taking it quickly with safety checks. ... Execute the swap if checks pass ... proactively make favorable outbound offers
Require an explicit user approval step before every approval, signature, public cast, and swap transaction, including a summary of token addresses, amounts, fees, recipient, contract address, and expiry.
Anyone or anything that can run the scripts with these environment variables can control the corresponding wallet for approvals, signatures, and transactions.
The workflow uses raw wallet private keys for signing and execution. This is expected for the stated crypto-swap purpose, but it is high-impact authority and is not reflected in the registry metadata's credential/env-var declarations.
Inputs - SIGNER_PRIVATE_KEY ... Inputs - SENDER_PRIVATE_KEY
Use fresh, low-value wallets; avoid reusing primary wallets; prefer hardware-wallet or scoped signer flows where possible; and declare the private-key requirement clearly in metadata.
Order details, wallet addresses, amounts, expiries, and signatures may be exposed through social posting, especially for open orders.
Signed order data is intentionally transported through Farcaster casts for this two-agent protocol. That is purpose-aligned, but users should understand that cast contents may be public and reusable according to the order terms.
The order and signature move from signer to sender via Farcaster casts. Use `GBZ1:<compressedOrder>` as the canonical transport/storage layer for order blobs.
Use targeted/private orders when needed, keep expiries short, and do not post an order publicly unless you are comfortable with the disclosed terms.
A different dependency version could change behavior if installed without using the lockfile.
The scripts rely on npm packages with semver ranges. These dependencies are normal for the purpose and a package-lock is included, but users should avoid installing unreviewed newer versions.
"dependencies": {
"ethers": "^5.8.0",
"lz-string": "^1.5.0"
}Install with the included lockfile, review dependency provenance, and avoid running the scripts from an untrusted directory.