forgex-skill
AdvisoryAudited by VirusTotal on Mar 26, 2026.
Overview
Type: OpenClaw Skill Name: forgex-skill Version: 1.0.1 The skill bundle provides instructions for an AI agent to interface with 'forgex-cli', a tool for Solana wallet management, token launching, and automated market making. It involves high-risk capabilities including the handling of private keys, passwords, and on-chain financial transactions (e.g., 'transfer', 'trade', 'token create'). While the documentation in SKILL.md is detailed and includes safety recommendations like '--dry-run', the requirement to install an external global npm package and the inherent risk of managing sensitive crypto credentials via an AI agent meet the threshold for a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user runs the wrong command, funds can be spent, transactions can be publicly executed, or a bot can trade repeatedly before the mistake is caught.
These examples authorize live on-chain fund movement, token launch, and repeated bot trades. The artifacts do not require explicit user confirmation, spending caps, or other guardrails before high-impact blockchain actions.
forgex --password "your-password" transfer out ... --value 0.1; token create ... --dry-run # remove --dry-run when ready to go live; tools volume ... --count 10 --rounds 20
Require explicit user approval for every live on-chain action, default to dry-run, set small spending limits, and make bot duration/round limits obvious before execution.
A mishandled private key, password, or backup file could give someone else control over the user's wallets and funds.
The skill instructs users to provide wallet passwords and private keys and to import/export key material. Private keys grant direct control over crypto funds, and the artifacts do not show clear credential scoping or storage safeguards.
forgex --password "pwd" wallet add --group 1 --private-key "Base58Key..."; wallet import --group 1 --file ./wallets.csv; wallet export --group 1 --file ./backup.csv
Use only dedicated low-value wallets, avoid passing secrets on the command line when possible, verify where keys are stored, encrypt backups by default, and never import a main wallet private key into an unreviewed tool.
A compromised or different npm package version could access wallet material or execute unintended transactions.
The skill directs a global install of an external npm package, but the supplied review context has no code files, no install spec, unknown source, and no homepage. Because this CLI is then used with private keys and on-chain funds, the unreviewed package provenance is material.
npm install -g forgex-cli
Verify the npm publisher and source repository, pin an exact package version, review the package code and install scripts, and test only with disposable wallets before trusting it with real funds.