Kaspa Dev
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Kaspa development reference, but it includes examples that handle wallet secrets and broadcast blockchain transactions, so users should protect keys and confirm any real transfers.
This skill is appropriate for Kaspa development, but treat all transaction and wallet examples as high-impact. Use testnet/devnet first, verify packages and API endpoints, never share real private keys or mnemonics with the agent, and manually approve any mainnet transaction before it is broadcast.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with real mainnet keys and addresses, a mistake could send funds to the wrong recipient or spend more than intended.
The skill documents signing and broadcasting Kaspa transactions. This is central to the stated blockchain-development purpose, but broadcasting a signed transaction can irreversibly move funds.
const signedTx = await signTransaction(tx, privateKey); ... const txId = await rpc.submitTransaction(signedTx);
Use testnet/devnet for development, verify recipient/amount/fees/network, and require explicit user confirmation before submitting any transaction.
A private key exposed in terminal history, logs, screenshots, source code, or chat can let someone else spend the wallet’s funds.
The quick-start example prints a generated private key. Private keys are wallet credentials and control any funds later sent to the generated address.
console.log('Private Key:', privateKey.toString());Do not log or paste real private keys or mnemonics; use secure wallet/key storage and only use throwaway test keys in examples.
Leaked API keys could allow unauthorized use of the user’s Kaspa API quota or account.
The API reference requires a bearer API key for the Kaspa Developer Platform. This is expected for an API integration but is still a credential.
API requests require an API key passed in the header: Authorization: Bearer YOUR_API_KEY
Store API keys in environment variables or a secrets manager, avoid committing them to code, and rotate them if exposed.