Debridge Mcp
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is a disclosed deBridge crypto-swap integration, but it should be reviewed carefully because it enables high-impact financial order creation through an agent and relies on unpinned external MCP code not included in the package.
Install only if you trust and have reviewed the external deBridge MCP repository being cloned. Treat every swap or transfer as a real financial transaction: require explicit confirmation, verify quotes and slippage yourself, and ensure wallet signing remains under your control.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly or without careful confirmation, the agent could initiate a crypto order with real financial consequences.
The skill exposes an order-creation tool for crypto swaps/transfers. Although it tells the agent to get user confirmation, the provided artifacts do not show enforced approval gates, amount limits, destination checks, or reversibility for these high-impact financial actions.
- **create_order**: Create cross-chain order ... 3. Create order if user confirms
Use only with explicit per-transaction confirmation, independently verify token, chain, amount, recipient, slippage, and fees, and prefer wallet-level signing prompts that the agent cannot bypass.
The code actually handling quotes and order creation may change outside this skill package and was not fully reviewable from the provided artifacts.
The runtime MCP server is cloned and built from an external repository at install time, without a pinned commit or included source in this package. That matters because this external code would power the agent's high-impact crypto swap tools.
git clone https://github.com/debridge-finance/debridge-mcp.git ~/debridge-mcp ... npm install ... npm run build
Review the external repository before installing, pin to a known commit or release, verify npm dependencies and lockfiles, and align registry metadata with the actual installed source.
Agents may continue to have access to quote and order-creation tools in later sessions.
The instructions add a persistent MCP server to the OpenClaw configuration. This is expected for an MCP integration, but it means the deBridge tools remain available to agents after restart until the user removes or disables the configuration.
"servers": [ { "name": "debridge", "transport": "stdio", "command": "node", "args": ["/home/ubuntu/debridge-mcp/dist/index.js"] } ]Disable or remove the MCP server from OpenClaw configuration when not actively using it, especially before unrelated agent tasks.