v0.1.0

Gasless Crosschain Executor

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:24 AM.

Analysis

This skill is aimed at wallet-based crypto swaps and includes good safety instructions, but it references missing helper code and underdeclares the sensitive credentials and execution authority needed.

GuidanceBefore installing, treat this as a high-impact crypto wallet skill. Do not paste private keys or seed phrases into chat, do not run missing or externally fetched setup scripts without separate review, use a low-balance wallet first, and only approve execution with the exact plan-hash phrase after checking every route and contract detail.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

SKILL.md

Choose provider mode. The choice follows from observable state; do not ask the user.

The skill intentionally constrains the agent to pick a provider path automatically instead of asking the user. This is framed as a safety decision tree, but users should know the skill may override open-ended provider choice.

User impactThe agent may steer execution through the skill's preferred provider workflow rather than asking you to choose each provider manually.

RecommendationReview the selected provider and route before approving any plan hash or signature.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

Plan, validate, sign, submit, and monitor EVM swaps with local-only key custody.

The workflow includes signing, submitting, and monitoring blockchain swaps. These are high-impact tools, but the instructions also require exact plan review and explicit authorization before real execution.

User impactA mistaken approval could authorize a real trade or transaction involving your wallet funds.

RecommendationOnly approve a plan after checking chain IDs, token addresses, amounts, recipient, spender, fees, slippage, deadline, and the exact plan hash.

Agentic Supply Chain Vulnerabilities

SeverityHighConfidenceHighStatusConcern

README.md

running `./scripts/setup.sh` once to materialize the Python venv and the Fusion+ Node deps

The submitted manifest contains only markdown/reference files and no scripts, requirements file, package file, or tests. Referencing missing setup and helper code creates a provenance gap for a high-impact wallet execution workflow.

User impactFollowing the documentation may lead you to obtain or run code that was not included in the reviewed artifact.

RecommendationDo not run external scripts or cloned repositories as part of this skill unless you separately review their source, dependency pins, and provenance.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusConcern

README.md

python3 -m venv .venv && source .venv/bin/activate
pip install -r requirements.txt

# 2. (optional) node deps for the Fusion+ helpers
cd examples && npm install && cd ..

The artifact is declared instruction-only with no install spec, but the documentation instructs users to create environments and run pip/npm installs from files and directories that are not present in the submitted package.

User impactYou could end up executing unreviewed local or third-party code while setting up a wallet-signing workflow.

RecommendationRequire a complete artifact with the referenced scripts and lockfiles, or manually inspect any repository and dependency tree before running setup commands.

Cascading Failures

SeverityMediumConfidenceHighStatusNote

README.md

Cross-chain swaps are irreversible and expensive to mess up.

A wrong route, approval, token address, or recipient can propagate into irreversible on-chain or cross-chain effects. The skill recognizes this and includes guardrails, but the impact remains high.

User impactA single bad approval or transaction can move funds, create persistent allowances, or fail across chains in ways that are hard to reverse.

RecommendationStart with small amounts, use finite approvals, verify revoke/refund paths, and avoid large transfers from newly generated or untested wallets.

Human-Agent Trust Exploitation

SeverityHighConfidenceHighStatusConcern

README.md

The agent never sees a key.

The package makes strong safety claims, but the submitted artifact contains no helper code to verify the claimed local signer, key isolation, validator, file permissions, or tests. In a wallet-execution skill, unsupported safety claims can lead users to over-trust the workflow.

User impactYou might rely on security guarantees that are described in documentation but not enforceable from the provided artifact.

RecommendationDo not assume the claimed signer isolation or validator behavior exists unless the actual scripts are present and independently reviewed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

metadata

Required env vars: none
Env var declarations: none
Primary credential: none

The registry declares no credential contract, while the supplied capability signals include wallet/signing/sensitive-credential needs and the documentation asks for provider API keys and local signer references. That underdeclares the privilege needed to operate the skill.

User impactYou may be asked to provide wallet access, signing authority, RPC endpoints, or provider tokens even though the registry does not declare them as requirements.

RecommendationTreat this as a wallet-authority skill: use a low-balance wallet, avoid exposing private keys to chat, and verify any API token or signing setup outside the agent conversation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

references/security-policy.md

Persist only non-secret data:

- normalized execution plan
- plan hash
- raw quote response with secrets redacted
- provider name and endpoint
- token and chain metadata

The skill intentionally persists transaction planning and provider context. This is useful for auditability, but persisted route metadata and provider responses should not become an unreviewed authority for later signing.

User impactStored plans or quote artifacts may reveal wallet activity and could influence later agent actions if reused without review.

RecommendationKeep audit artifacts local, redact them before sharing, and revalidate the plan hash before any signing or broadcast step.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

references/provider-adapters.md

`examples/submit_fusion_plus.mjs` — POSTs `submitPayload + signature` to the relayer.

The workflow sends signed payloads and provider data to external relayer/status APIs. This is expected for 1inch execution, but users should understand that signatures and order metadata leave the local machine.

User impactExternal providers may receive transaction metadata, signatures, order IDs, wallet addresses, and route details.

RecommendationUse official provider endpoints, protect provider API tokens, and avoid submitting signatures unless the exact plan and target contracts have been verified.