Usdc Dance Evvm Payment
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could make unintended or excessive payments if it misunderstands a task, is prompted maliciously, or uses the wrong recipient or amount.
The artifact explicitly authorizes autonomous payment behavior. For a funds-transfer skill, lack of a required approval gate, enforced spending cap, or recipient allowlist is a material control concern.
✅ **Autonomous Payments**: Agents can pay each other without human intervention
Require explicit user confirmation for each payment unless a verified policy enforces strict amount, recipient, chain, and contract limits. Start on testnet and use low spending caps.
If these credentials are misused or exposed, wallet actions and payments may be possible under the user's Privy app or key authority.
The skill requests Privy app credentials and also documents a private-key payment path. These grant signing and payment authority, but the supplied registry requirements declare no env vars or primary credential.
"PRIVY_APP_ID": "your-app-id", "PRIVY_APP_SECRET": "your-app-secret" ... privateKey: agentPrivateKey
Use a dedicated Privy app and wallet, avoid the private-key path, declare credentials in metadata, and enforce least-privilege Privy policies before enabling the skill.
Users cannot verify what code would actually sign, submit, or record payments if they follow these instructions or obtain the missing files elsewhere.
The SKILL.md references implementation and example files, but the provided manifest says only SKILL.md is present and there are no code files. For a high-impact payment skill, the referenced transaction logic is not reviewable.
import { payViaEVVMWithPrivy } from './src/index'; ... See `examples/` directoryDo not use with real funds until the complete source, examples, dependency list, and provenance are provided and reviewed.