Evk Live Borrow Proof
PassAudited by ClawScan on May 6, 2026.
Overview
This appears to be a purpose-aligned EVK borrow-test skill, but live mode can use a real wallet signer to make on-chain DeFi transactions.
Before installing or using live mode, treat this as a real financial transaction tool: preview first, inspect the config and transaction plan, use a dedicated low-balance wallet, keep signer material out of files and chats, set nonzero swap minimums, avoid unlimited approvals, and run it only in a trusted Node environment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run live with a funded wallet, the skill can spend gas, approve token transfers, perform swaps, repay or create debt, deposit collateral, and change enabled collateral/controller state.
These are real on-chain operations that can move assets or change EVC account state when run live. This is aligned with the borrow-proof purpose and the skill documents preview/live safeguards.
It supports: ... optional debt repayment ... optional single-hop Uniswap V3 style swaps ... collateral deposit ... disabling stale collateral vaults ... disabling stale controllers ... final tiny borrow
Run preview first, verify every address, amount, chain, RPC URL, and planned transaction, keep canary amounts small, avoid unlimited approvals unless truly needed, and prefer a dedicated low-balance proof wallet.
Anyone or anything that can access the signer environment variable may be able to authorize transactions from the proof wallet.
Live mode requires access to a wallet signer credential. That credential is expected for the stated blockchain purpose, but it controls real account authority.
Required env vars: LIVE_SIGNER_ENV; Primary credential: LIVE_SIGNER_ENV
Use a limited-purpose wallet with minimal funds, keep the signer only in the local runtime environment, never commit it to config files, and confirm the configured account matches the intended signer.
Running the script with an untrusted or unexpected local Node dependency could affect transaction construction or execution.
The script depends on the external ethers package while the install section says there is no install spec. This is expected for EVM tooling, but dependency provenance is left to the user's local environment.
const { JsonRpcProvider, Wallet, Contract, MaxUint256, parseUnits, formatUnits, formatEther, isAddress } = require('ethers');Use a clean project or container, install a trusted pinned version of ethers, and review the full script before any live run.