test
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for building unsigned DeFi transactions, but users should carefully review generated transactions and the external CLI/API-key setup before using it.
Before installing, confirm you trust the external `defi-skills` CLI source. Never enter a private key or seed phrase. After the skill builds a transaction, review every transaction and approval carefully before signing in your wallet.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated transaction could transfer assets, approve spending, or interact with DeFi protocols if you later sign it.
The skill directs an agent to create transaction payloads for financial actions. This is purpose-aligned and bounded by being unsigned, but mistakes could still matter if the user signs the result.
Builds raw unsigned DeFi transactions using the `defi-skills` CLI... The output is an unsigned transaction (`to`, `value`, `data`). It never signs or broadcasts.
Review the `to`, `value`, `data`, approvals, token amounts, recipient, and protocol before signing any generated transaction.
The agent may produce a transaction payload without asking again when your request is clear.
The skill allows immediate transaction construction for clear one-step requests. It does not sign or broadcast, and it adds confirmation requirements for multi-step, ambiguous, or large/max requests.
**Direct intent**: If the user's request maps to a single action with clear parameters, build it immediately. No discussion needed.
Treat the generated transaction as a draft and verify it before signing, especially for approvals, swaps, or transfers.
Your safety depends partly on the external CLI package and package source, not just this SKILL.md file.
The reviewed skill is instruction-only and depends on installing an external CLI package from a custom package index; the CLI implementation is not included in the supplied artifacts.
pip install defi-skills --extra-index-url https://nethermind.jfrog.io/artifactory/api/pypi/kyoto-pypi-local-prod/simple
Install only from a trusted source, verify the package name/version where possible, and keep the CLI updated from the official provider.
The CLI will know which wallet address to use when constructing transactions.
A wallet address is needed to build some transactions and is declared as required. Wallet addresses are not private keys, but they identify an account and can reveal financial activity.
The CLI must be installed and a wallet address configured... defi-skills config set-wallet "$WALLET_ADDRESS"
Provide only the wallet address you intend to use, and never provide private keys or seed phrases.
Provider API keys may be stored by the CLI and used for blockchain data lookups.
The skill may require third-party provider API keys for on-chain data and instructs users to save them using the CLI config command. This is expected for the integration, but the optional credentials are not listed in the registry requirements.
Most actions that involve on-chain data need `ALCHEMY_API_KEY`... Balancer actions additionally need `THEGRAPH_API_KEY`.
Use least-privilege API keys, monitor usage, and revoke or rotate keys if you stop using the CLI.