AI agent crypto trading — gasless limit, DCA, stop-loss & take-profit
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent crypto-trading skill, but it can authorize token spending and submit signed orders, so users should verify every order before signing.
Use this only with wallets and funds you are prepared to trade. Before signing, independently verify the protocol addresses, token addresses, recipient, max spend, deadline, slippage, and order type. Do not share signed payloads, avoid unlimited approvals unless intentional, and delete stored signatures after the order is resolved.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken approval or signed order could cause the user's tokens to be traded under the signed terms.
The skill requires wallet authorization and token allowance for the protocol contract, which is expected for trading but gives the workflow authority over the specified token amount.
approve(typedData.domain.verifyingContract, input.maxAmount) ... Sign `typedData` with any EIP-712-capable wallet or library. The signer must equal `swapper`.
Review the chain, token addresses, maxAmount, recipient, deadline, slippage, and spender before signing; prefer exact approvals and avoid maxUint256 unless intentionally choosing a standing approval.
If the normalized order parameters are wrong, the relay may accept an order that later executes against the user's funds.
The instructions direct the agent to submit a signed financial order to an external relay; this is disclosed and purpose-aligned, but errors in the payload can create executable trades.
Submit this exact relay payload to `https://agents-sink.orbs.network/orders/new`
Require a human confirmation step showing the final typed data and relay payload before submission.
A leaked or accidentally reused signature could submit the same order within its valid window.
The skill instructs storing a signed order payload for retry; signed payloads can be sensitive until expiration or cancellation.
After an ambiguous relay failure such as a timeout or `5xx`, persist and reuse the exact populated `typedData` and signature for any retry.
Store signed payloads only temporarily, avoid shared logs or memory, and delete them after the order is resolved, expired, or cancelled.
Users may have to rely on the bundled addresses and claims without registry-level source verification.
The registry metadata does not establish provenance, while the skill embeds fixed contract and relay addresses for financial operations.
Source: unknown; Homepage: none
Verify the contract addresses, relay endpoint, and audit/source links against the official Spot/Orbs documentation before using real funds.