Agentic Lending Morpho
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: agentic-lending-morpho Version: 0.1.7 The skill bundle provides a legitimate and well-documented workflow for planning and deploying Morpho lending markets using Api3 data feeds. While the scripts in 'scripts/lib/api3-feed-manager.js' and 'scripts/lib/part2-morpho-planner.js' have the capability to sign and broadcast blockchain transactions using private keys, these actions are guarded by explicit user-approval flags and dry-run defaults. The use of minor obfuscation for the 'privateKey' string (e.g., using .join('')) is explicitly noted in the CHANGELOG.md as a technique to avoid false-positive hits from static analysis scanners. No evidence of data exfiltration, unauthorized execution, or malicious prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used in execution mode, the agent may submit irreversible on-chain transactions and spend funds for feed funding or deployment gas.
The skill can perform real blockchain funding and deployment actions, which are high-impact, but the instructions disclose this and gate it on explicit user approval.
When the supported path is available and the user explicitly asks for it, this variant can send real transactions
Start with planning or dry-run mode, confirm chain/assets/market parameters, and approve exact transaction details before exposing signer credentials.
A wallet signer could spend funds or deploy contracts if the workflow is run in live mode.
The skill requires a signer environment variable, which can authorize wallet transactions. This is expected for the stated deployment workflow but is sensitive authority.
env:
- LIVE_SIGNER_ENV
primaryEnv: LIVE_SIGNER_ENVUse a dedicated limited-balance signer, avoid broad production wallets, and remove or rotate signer material after use.
Deploying bundled artifacts means trusting the package’s included bytecode and runtime data.
The package includes bundled contract artifacts used for deployment. This is purpose-aligned, but users should verify package provenance and bytecode before deploying.
bundled planning data under `data/part2/` ... contract artifacts required by the shared planner plus Morpho adapter deployment
Install from the expected publisher/source, compare bytecode against audited or official contract artifacts where possible, and review generated deployment output.