forgex-skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated crypto market-making purpose, but it asks users to install an unreviewed CLI that can handle private keys, move funds, launch tokens, and run trading bots.
Review this skill carefully before installing. Treat it as a high-risk crypto wallet and trading tool: verify the npm package and source code, use a fresh low-balance wallet first, keep private keys out of shell history where possible, run dry-runs, and require explicit approval before any live transfer, token launch, wallet export, or bot run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user runs the wrong command, funds can be spent, transactions can be publicly executed, or a bot can trade repeatedly before the mistake is caught.
These examples authorize live on-chain fund movement, token launch, and repeated bot trades. The artifacts do not require explicit user confirmation, spending caps, or other guardrails before high-impact blockchain actions.
forgex --password "your-password" transfer out ... --value 0.1; token create ... --dry-run # remove --dry-run when ready to go live; tools volume ... --count 10 --rounds 20
Require explicit user approval for every live on-chain action, default to dry-run, set small spending limits, and make bot duration/round limits obvious before execution.
A mishandled private key, password, or backup file could give someone else control over the user's wallets and funds.
The skill instructs users to provide wallet passwords and private keys and to import/export key material. Private keys grant direct control over crypto funds, and the artifacts do not show clear credential scoping or storage safeguards.
forgex --password "pwd" wallet add --group 1 --private-key "Base58Key..."; wallet import --group 1 --file ./wallets.csv; wallet export --group 1 --file ./backup.csv
Use only dedicated low-value wallets, avoid passing secrets on the command line when possible, verify where keys are stored, encrypt backups by default, and never import a main wallet private key into an unreviewed tool.
A compromised or different npm package version could access wallet material or execute unintended transactions.
The skill directs a global install of an external npm package, but the supplied review context has no code files, no install spec, unknown source, and no homepage. Because this CLI is then used with private keys and on-chain funds, the unreviewed package provenance is material.
npm install -g forgex-cli
Verify the npm publisher and source repository, pin an exact package version, review the package code and install scripts, and test only with disposable wallets before trusting it with real funds.