Safe Skills
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is clearly about EVM wallet management, but it gives the agent ongoing wallet authority and arbitrary transaction capability without clear approval or scope limits.
Only install this if you trust the remote SafeSkills service and are comfortable giving an agent controlled wallet authority. Start on testnet or with very small funds, set strict spending policies through the claim URL, require explicit approval for every transaction, and protect the API key like a financial credential.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on a funded wallet, an agent could submit transactions that transfer assets, approve token spending, or interact with contracts in ways that may be irreversible.
This exposes a broad transaction escape hatch for smart-contract interaction. The workflow does not specify explicit user confirmation, transaction limits, or safe defaults before submitting high-impact blockchain actions.
Send a raw transaction with custom calldata. Useful for interacting with smart contracts.
Require explicit user approval for every transfer or arbitrary transaction, show the recipient/value/calldata before execution, and use strict spending and contract policies through the claim URL.
Anyone or any agent workflow with access to the API key may be able to operate the wallet, subject to whatever server-side policies exist.
The API key is persistent delegated authority for wallet operations. The artifact does not define where it is stored, how it is protected, how broad its permissions are, or how users can revoke/rotate it.
`apiKey` -- store this securely; use it as the Bearer token for all future requests
Treat the API key like a wallet credential: store it only in a protected secret store, limit its permissions, rotate or revoke it when no longer needed, and avoid giving it to autonomous workflows without user-set limits.
Users have less independent information to assess the operator of the service that will create and manage wallet secrets.
The skill is instruction-only, but it relies on a remote wallet/secret service. The registry metadata does not provide source or homepage provenance for users to verify the provider.
Source: unknown; Homepage: none
Verify the SafeSkills provider, service terms, key custody model, and recovery/revocation process before using it with real funds.