Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real crypto-wallet SDK, but it gives an agent broad ability to manage wallet keys and perform irreversible on-chain payments, swaps, bridges, and trades.
Install only if you intentionally want an agent-operated crypto wallet. Use a fresh low-balance wallet, prefer testnets while evaluating, require explicit approval for sends/swaps/bridges/trades/payments, keep the MCP HTTP mode local and token-protected, and verify the npm package/source before giving it any private key or seed phrase.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused or invoked with real funds, the agent could spend gas, transfer assets, approve contracts, bridge funds, or place irreversible trades.
The skill exposes broad financial transaction, purchase, trading, bridging, and contract-call authority to an agent, while the provided artifact does not show explicit approval gates, spend limits, or scope controls.
Agents generate and manage their own keys — no human input required. Use when: ... sending tokens, calling contracts, ... making x402 payment-gated API calls, ... bridging tokens cross-chain ... trading perpetual futures ... buying or selling Polymarket outcome shares
Use only with a dedicated low-balance wallet or testnet unless you add explicit per-transaction confirmations, spend limits, chain/contract allowlists, and monitoring.
Exposure or misuse of these secrets could lead to complete loss of funds in the connected wallet.
The skill can use wallet private keys or seed phrases, which is expected for this purpose but gives full control over the associated wallets.
AGENT_PRIVATE_KEY ... Hex-encoded private key (EVM) ... secret: true ... AGENT_MNEMONIC ... BIP-39 mnemonic phrase ... secret: true
Do not provide a primary wallet seed phrase. Use OpenClaw secrets where possible, create a dedicated wallet for this skill, and fund it only with amounts you are willing to risk.
Installing or updating the package requires trusting its npm provenance and implementation with sensitive crypto operations.
The runtime behavior comes from an external npm package rather than code included in the reviewed artifact set. This is normal for a packaged SDK, but it matters more because the package handles wallet keys and transactions.
node | package: evalanche | creates binaries: evalanche-mcp
Verify the npm package and GitHub source, consider pinning a reviewed version, and avoid installing it in environments with unrelated sensitive credentials.