Crypto limit orders — gasless, non-custodial
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Approving or signing the wrong order could allow the protocol flow to spend the specified tokens or create an unintended trade.
The skill directs wallet approval and EIP-712 signing that can authorize token spending up to the order's max amount. This is expected for the crypto-order purpose, but it is high-impact financial authority.
If allowance for `input.token` to `typedData.domain.verifyingContract` is lower than `input.maxAmount`, the default suggestion is a standard ERC-20 `approve(typedData.domain.verifyingContract, input.maxAmount)` transaction first.
Before approving or signing, verify chain, input/output token addresses, amount and maxAmount, recipient, deadline, slippage, spender/verifying contract, and use exact approvals unless you intentionally want a standing approval.
The relay receives the signed order and associated wallet/order information; the signed payload should be considered sensitive until it expires, fills, or is cancelled.
The skill sends signed order data, including wallet/order details and a signature, to an external relay endpoint. This is disclosed and central to gasless order submission.
Submit this exact relay payload to `https://agents-sink.orbs.network/orders/new`: ... `{ "order": "<typedData.message>", "signature": "<full signature or { r, s, v }>", "status": "pending" }`Submit only after final review, verify the relay domain independently, prefer short deadlines where appropriate, and do not share signed payloads outside the intended relay flow.
A user may rely on hardcoded relay and contract addresses without independently confirming they match the intended protocol deployment.
The registry metadata does not identify a source or homepage, although package.json separately references an Orbs repository. Because the skill hardcodes protocol endpoints and contract addresses, provenance verification matters.
Source: unknown; Homepage: none
Verify the package provenance, official documentation, relay endpoint, and contract addresses before using the skill for real funds.