Evk Live Borrow Proof
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: evk-live-borrow-proof Version: 0.1.3 The skill bundle is a legitimate utility for testing and proving borrowability on Euler EVK lending markets. The core logic in `scripts/evk_live_borrow_proof.js` includes robust safety guardrails, such as a mandatory `--live` flag, a required string-based acknowledgement in the configuration, and slippage protection for token swaps. It follows standard security practices for agentic tools by using environment variables for sensitive keys and providing a read-only preview mode by default.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run live with a funded wallet, the skill can spend gas, approve token transfers, perform swaps, repay or create debt, deposit collateral, and change enabled collateral/controller state.
These are real on-chain operations that can move assets or change EVC account state when run live. This is aligned with the borrow-proof purpose and the skill documents preview/live safeguards.
It supports: ... optional debt repayment ... optional single-hop Uniswap V3 style swaps ... collateral deposit ... disabling stale collateral vaults ... disabling stale controllers ... final tiny borrow
Run preview first, verify every address, amount, chain, RPC URL, and planned transaction, keep canary amounts small, avoid unlimited approvals unless truly needed, and prefer a dedicated low-balance proof wallet.
Anyone or anything that can access the signer environment variable may be able to authorize transactions from the proof wallet.
Live mode requires access to a wallet signer credential. That credential is expected for the stated blockchain purpose, but it controls real account authority.
Required env vars: LIVE_SIGNER_ENV; Primary credential: LIVE_SIGNER_ENV
Use a limited-purpose wallet with minimal funds, keep the signer only in the local runtime environment, never commit it to config files, and confirm the configured account matches the intended signer.
Running the script with an untrusted or unexpected local Node dependency could affect transaction construction or execution.
The script depends on the external ethers package while the install section says there is no install spec. This is expected for EVM tooling, but dependency provenance is left to the user's local environment.
const { JsonRpcProvider, Wallet, Contract, MaxUint256, parseUnits, formatUnits, formatEther, isAddress } = require('ethers');Use a clean project or container, install a trusted pinned version of ethers, and review the full script before any live run.