Usdc Dance Evvm Payment
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-skill-usdc-dance-evvm Version: 0.1.0 The skill is designed for legitimate financial transactions using USDC.d on an EVM chain, integrating with Privy for wallet management. It requires access to sensitive `PRIVY_APP_ID` and `PRIVY_APP_SECRET` environment variables, which, while necessary for its function, introduces a risk if mishandled. Furthermore, the `SKILL.md` documentation explicitly describes a 'Legacy' function (`payViaEVVM`) that accepts a raw `privateKey` as an argument, which is a significant vulnerability risk, even though the documentation labels it 'not recommended for production' and promotes a more secure Privy-based method. While the skill includes strong security recommendations, the presence of this high-risk private key handling capability and the necessity for sensitive API keys warrant a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could make unintended or excessive payments if it misunderstands a task, is prompted maliciously, or uses the wrong recipient or amount.
The artifact explicitly authorizes autonomous payment behavior. For a funds-transfer skill, lack of a required approval gate, enforced spending cap, or recipient allowlist is a material control concern.
✅ **Autonomous Payments**: Agents can pay each other without human intervention
Require explicit user confirmation for each payment unless a verified policy enforces strict amount, recipient, chain, and contract limits. Start on testnet and use low spending caps.
If these credentials are misused or exposed, wallet actions and payments may be possible under the user's Privy app or key authority.
The skill requests Privy app credentials and also documents a private-key payment path. These grant signing and payment authority, but the supplied registry requirements declare no env vars or primary credential.
"PRIVY_APP_ID": "your-app-id", "PRIVY_APP_SECRET": "your-app-secret" ... privateKey: agentPrivateKey
Use a dedicated Privy app and wallet, avoid the private-key path, declare credentials in metadata, and enforce least-privilege Privy policies before enabling the skill.
Users cannot verify what code would actually sign, submit, or record payments if they follow these instructions or obtain the missing files elsewhere.
The SKILL.md references implementation and example files, but the provided manifest says only SKILL.md is present and there are no code files. For a high-impact payment skill, the referenced transaction logic is not reviewable.
import { payViaEVVMWithPrivy } from './src/index'; ... See `examples/` directoryDo not use with real funds until the complete source, examples, dependency list, and provenance are provided and reviewed.