ZeroEx Swap
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its 0x swap purpose, but it requires a raw wallet private key and can submit irreversible token approvals/swaps without a built-in confirmation gate, while registry metadata does not declare those credentials.
Only install this if you are comfortable with an agent-accessible tool that can sign blockchain transactions. Use a dedicated wallet with minimal funds, set the private key only in a temporary trusted environment, run quote-only first, verify chain/token/amount/spender/slippage manually, and do not allow autonomous swap execution without explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or process has access to this key, it can sign transactions that spend wallet funds.
The skill uses a raw wallet private key to create a signing wallet. That is expected for direct swaps, but it grants full authority over the funded wallet, and the registry metadata separately declares no primary credential or required environment variables.
const key = process.env.PRIVATE_KEY || process.env.ZEROEX_PRIVATE_KEY; ... const wallet = new ethers.Wallet(privateKey, provider);
Use only a dedicated hot wallet with limited funds, keep the key out of shared environments, and ensure the skill metadata clearly declares the private-key requirement.
A mistaken or autonomous invocation could approve or execute a token swap with real funds before the user has reviewed the exact transaction.
When invoked, the script can approve token spending and submit a swap transaction without an in-code confirmation prompt. These are irreversible financial actions.
const approveTx = await token.approve(quote.to, sellAmount); await approveTx.wait(); ... const resp = await wallet.sendTransaction(tx);
Add a mandatory confirmation step showing wallet, chain, tokens, amounts, spender, slippage, and transaction target before any approval or swap; default to quote-only unless the user explicitly confirms execution.
Future dependency versions could change behavior or introduce vulnerabilities.
The install pulls npm packages using semver ranges, and no lockfile is provided in the artifacts. This is common for Node projects but deserves attention for a wallet-signing skill.
"dependencies": { "axios": "^1.7.0", "ethers": "^6.13.0", "viem": "^2.19.0" }Pin dependencies with a lockfile and review installed package versions before using the skill with funds.