Mi Trading
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Solana trading skill is purpose-aligned, but it can install and run an unpinned CLI with access to a wallet key and execute real swaps non-interactively.
Treat this as a high-impact financial automation skill. Only use it with a dedicated low-balance Solana wallet, manually verify and pin the ClawDex CLI before use, set strict trading guardrails, and require explicit confirmation before any real swap is executed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or misunderstood instruction could lead to an irreversible on-chain trade or financial loss.
This directs the agent to perform real token swaps non-interactively, with the agent deciding whether the simulation 'looks good' rather than requiring a final user approval.
4. **Execute** — `clawdex swap --yes --json` — only if simulation looks good
Require explicit user confirmation after simulation and before any `--yes` execution, including token pair, amount, minimum received, slippage, and fees.
If the CLI or agent workflow is misused, funds in the configured wallet could be traded or exposed to transaction-signing risk.
The skill passes an API key and the user's local Solana wallet key file to the CLI, giving it authority to operate on the trading wallet.
clawdex onboarding \
--jupiter-api-key "$JUPITER_API_KEY" \
--rpc "${SOLANA_RPC_URL:-https://api.mainnet-beta.solana.com}" \
--wallet ~/.config/solana/id.jsonUse a dedicated low-balance trading wallet, avoid main wallets, declare credential/config requirements clearly, and keep API keys and wallet files least-privileged.
A compromised or changed npm package version could run with access to the user's wallet configuration and trading workflow.
The skill installs an unpinned latest-version npm package globally, while no install spec or reviewed implementation is included in the artifact set.
which clawdex || npm install -g clawdex@latest
Pin a reviewed version, document the package source, verify provenance/checksums where possible, and prefer manual installation before giving it wallet access.