Api3 Feed Manager Executor
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is allowed to execute instead of only plan, it may submit onchain purchases or top-ups for Api3 feed subscriptions.
The skill intentionally exposes transaction execution and browser-assisted funding. This is purpose-aligned, but a mistaken invocation could spend real funds.
when explicitly requested, execute the supported browser-assisted or signer-backed funding path that can spend funds onchain. Default to discovery, readiness checks, and dry-run planning first.
Use dry-run/discovery modes first, verify the chain, feed, amount, recipient contract, and calldata, and require explicit human approval before any transaction is signed or browser wallet flow is completed.
A signer or private key provided to this tool can authorize spending from that wallet.
The CLI can accept signer material for transaction submission. That signer controls wallet authority for the relevant chain.
execute-buy-subscription ... --signing-key <local-runtime-signer>
Use a dedicated limited-balance wallet, avoid committing or logging private keys, prefer safer runtime secret handling where available, and do not provide a signer unless you intend to execute a transaction.
Future dependency versions could change behavior if the package is installed or rebuilt without a lockfile.
The package uses semver ranges rather than exact pinned dependency versions. This is common, but dependency changes matter more for code that prepares or signs transactions.
"@api3/contracts": "^37.0.0", "@api3/dapi-management": "^4.13.0", "ethers": "^6.15.0"
For production or high-value wallets, review the exact installed dependency versions and use a lockfile or pinned versions.