spanDEX Trader
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Base trading skill, but it asks for a wallet private key and can automatically sign/broadcast financial transactions without clearly documented safety limits.
Only install this if you are comfortable running a local trading script that can sign real Base transactions. Use a fresh low-value wallet, run quote or dry-run first, verify the full source and dependencies, pin versions, and confirm every token, amount, slippage value, approval, and provider before allowing a live swap or limit-order action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the skill, its dependencies, or an agent invocation is wrong or compromised, the funded wallet could lose assets or sign unintended approvals/orders.
A raw wallet private key or arbitrary key file gives the script authority to sign transactions for that wallet. This is expected for a trading tool, but it is high-impact and the registry metadata declares no primary credential or env vars.
`SPANDEX_PRIVATE_KEY` | Wallet private key (hex). OR use `SPANDEX_KEY_PATH` for file-based key
Use only a dedicated low-balance trading wallet, never a main wallet, and ensure the credential requirement is clearly declared before installation.
A single mistaken or ambiguous trading request could result in real swaps, token approvals, gas costs, or limit-order actions across providers.
The documented flow signs and broadcasts on-chain transactions and automatically retries other providers. There is no documented mandatory confirmation step, spend limit, approval review, or default dry-run.
Execute swap (best price, automatic fallback) ... `buildCalls()` → `sendTransaction()` with priority fee → if fail, try next provider
Require explicit user confirmation for every live trade, review exact tokens/amounts/slippage/provider before broadcasting, and make dry-run/quote the default workflow.
Dependency changes or package compromise could affect how trades are built or signed.
The setup installs unpinned npm packages manually. This is normal for a Node-based integration, but these dependencies are involved in quote building and transaction signing.
cd <skill-dir>/scripts && npm init -y && npm i viem @spandex/core
Install from a trusted environment, pin package versions, review the full dependency tree, and avoid running the skill with a valuable wallet key.