Usdc Dance Evvm Payment
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is for blockchain payments and explicitly enables autonomous wallet transactions, but it asks for high-value Privy or private-key authority without reviewed implementation code or clearly enforced limits.
Review carefully before installing. Treat this as a high-risk payment skill: use only testnet or a dedicated low-balance wallet, set strict Privy policies, require manual approval for payments, verify all contract addresses, and do not provide a private key. Avoid real funds until the complete implementation is available and audited.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could make unintended or excessive payments if it misunderstands a task, is prompted maliciously, or uses the wrong recipient or amount.
The artifact explicitly authorizes autonomous payment behavior. For a funds-transfer skill, lack of a required approval gate, enforced spending cap, or recipient allowlist is a material control concern.
✅ **Autonomous Payments**: Agents can pay each other without human intervention
Require explicit user confirmation for each payment unless a verified policy enforces strict amount, recipient, chain, and contract limits. Start on testnet and use low spending caps.
If these credentials are misused or exposed, wallet actions and payments may be possible under the user's Privy app or key authority.
The skill requests Privy app credentials and also documents a private-key payment path. These grant signing and payment authority, but the supplied registry requirements declare no env vars or primary credential.
"PRIVY_APP_ID": "your-app-id", "PRIVY_APP_SECRET": "your-app-secret" ... privateKey: agentPrivateKey
Use a dedicated Privy app and wallet, avoid the private-key path, declare credentials in metadata, and enforce least-privilege Privy policies before enabling the skill.
Users cannot verify what code would actually sign, submit, or record payments if they follow these instructions or obtain the missing files elsewhere.
The SKILL.md references implementation and example files, but the provided manifest says only SKILL.md is present and there are no code files. For a high-impact payment skill, the referenced transaction logic is not reviewable.
import { payViaEVVMWithPrivy } from './src/index'; ... See `examples/` directoryDo not use with real funds until the complete source, examples, dependency list, and provenance are provided and reviewed.