spanDEX Trader
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the skill, its dependencies, or an agent invocation is wrong or compromised, the funded wallet could lose assets or sign unintended approvals/orders.
A raw wallet private key or arbitrary key file gives the script authority to sign transactions for that wallet. This is expected for a trading tool, but it is high-impact and the registry metadata declares no primary credential or env vars.
`SPANDEX_PRIVATE_KEY` | Wallet private key (hex). OR use `SPANDEX_KEY_PATH` for file-based key
Use only a dedicated low-balance trading wallet, never a main wallet, and ensure the credential requirement is clearly declared before installation.
A single mistaken or ambiguous trading request could result in real swaps, token approvals, gas costs, or limit-order actions across providers.
The documented flow signs and broadcasts on-chain transactions and automatically retries other providers. There is no documented mandatory confirmation step, spend limit, approval review, or default dry-run.
Execute swap (best price, automatic fallback) ... `buildCalls()` → `sendTransaction()` with priority fee → if fail, try next provider
Require explicit user confirmation for every live trade, review exact tokens/amounts/slippage/provider before broadcasting, and make dry-run/quote the default workflow.
Dependency changes or package compromise could affect how trades are built or signed.
The setup installs unpinned npm packages manually. This is normal for a Node-based integration, but these dependencies are involved in quote building and transaction signing.
cd <skill-dir>/scripts && npm init -y && npm i viem @spandex/core
Install from a trusted environment, pin package versions, review the full dependency tree, and avoid running the skill with a valuable wallet key.