Solvera Markets
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a connected wallet signs the generated calldata, token balances, bonds, rewards, or on-chain reputation may change.
The skill exposes transaction-building workflows that can lead to signed on-chain actions, but it clearly discloses that the API only returns calldata and does not itself sign or broadcast.
All write endpoints return calldata only. They do not sign or broadcast. ... POST /api/intents/:id/offers ... POST /api/intents/:id/fulfill ... next_steps: [{ "action": "sign_and_send", "network": "base" }]Use explicit wallet confirmations, verify the network and contract address, and set token allowlists, minimum rewards, maximum bond/spend limits, and per-transaction approval requirements.
A wallet with signing authority can spend assets or create on-chain obligations if misused.
The artifacts indicate that wallet/private-key authority may be involved for signing transactions, while also instructing users not to send private keys to the service.
Keep private keys local; never send them to the API. ... Tx built and signed locally
Use a dedicated low-balance wallet where possible, never paste private keys into chats or APIs, review calldata/allowances before signing, and revoke unnecessary approvals.