USD1 Transaction
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for testnet token transfers, but it requires a raw wallet private key and can initiate transfers without clear approval, limits, or credential declaration.
Only use this with a disposable testnet wallet and verify the amount and recipient yourself before any transfer. Do not provide a mainnet or valuable wallet private key unless the skill adds clearer credential declarations, explicit confirmation, and transaction safety controls.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user provides a real or reused wallet private key, the key could grant broad control over that wallet beyond this single testnet transfer.
The skill requires a raw wallet private key, which is a high-privilege credential that can authorize wallet actions if mishandled or reused.
- privateKey: string (secure, required) - sender wallet private key
Use only a disposable testnet wallet key, never a mainnet or personal wallet key, and require the publisher to declare this credential requirement clearly in metadata.
A mistaken or overly autonomous invocation could send testnet tokens to the wrong address, and the same workflow would be unsafe if adapted to real funds.
The code directly executes a token transfer using user-supplied inputs, with no artifact evidence of a separate confirmation, amount limit, recipient allowlist, or preflight review.
const transfer = await wh.tokenBridge().transfer(
privateKey,
chain,
transferAmount,
'USDC',
new UniversalAddress(toAddress, 'hex')
);Add an explicit user confirmation showing amount, token, source chain, recipient, and network before signing; validate amounts and addresses; and keep the skill locked to disposable testnet use unless stronger controls are added.