Mamo
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Review before use: this appears purpose-aligned for Mamo DeFi, but it asks for a wallet private key and can approve or move real funds while some high-impact credential and local strategy-state handling is under-declared.
Only use this with a dedicated hot wallet containing funds you can afford to risk. Verify the npm package/source, set MAMO_WALLET_KEY carefully, inspect the target strategy contract before approvals or deposits, and prefer dry-run or explicit confirmations for every financial action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and configured, the skill can sign Base mainnet transactions from the provided wallet, including token approvals, deposits, withdrawals, and strategy creation.
The skill requires a raw wallet private key for signing, while the registry metadata lists no primary credential or required env var; this under-declares authority over real funds.
export MAMO_WALLET_KEY=0x... # wallet private key
Declare MAMO_WALLET_KEY as a required primary credential and use only a dedicated hot wallet with limited funds; never provide a main wallet private key.
Mistaken or unintended execution could approve token spending or move assets into a strategy contract.
Token approvals and deposits are central to the DeFi purpose and are disclosed, but they are high-impact financial mutations.
Deposit → CLI approves token spend, then calls `deposit(amount)` on your strategy contract
Require explicit user confirmation for create/deposit/withdraw actions, verify amounts and contract addresses, and use --dry-run before sending transactions.
A bad local strategies file could cause the CLI to interact with an unexpected contract, potentially risking token approvals or funds.
Locally persisted strategy addresses are trusted alongside registry results and reused to resolve strategy contracts; stale or tampered local state could influence which contract receives approvals or deposits unless later validation is enforced.
// Registry may be inaccessible, continue with local storage ... const localAddresses = getLocalStrategyAddresses(walletAddress); ... results.push(addr);
Validate locally stored strategy addresses against registry/factory/code/owner checks before approvals or deposits, show the target address to the user, and protect the config files.
Installing the CLI or dependencies runs code from the Node package ecosystem.
The CLI uses npm installation and third-party packages, which is expected for this Node-based tool but still introduces normal package provenance risk.
npm install -g mamo-cli
Install only from the intended package/repository, prefer the reviewed lockfile where possible, and avoid installing if the package provenance cannot be verified.