ClawHub

ButterSwap

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent instruction-only crypto swap helper with no code or credentials, but users should verify any generated transaction data before signing and understand that swap details are sent to Butter’s API.

This skill appears safe to install as an instruction-only Butter Router helper, but treat it as a quote and transaction-data generator rather than an authority on what to sign. Before signing any wallet transaction, independently check the destination contract, calldata summary, token addresses, amount, slippage, receiver address, chain, and native value.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI02: Tool Misuse and Exploitation
Low
What this means

The agent can run API-query commands for this skill. The visible examples are purpose-aligned, but generated transaction details could affect funds if a user signs them without review.

Why it was flagged

The skill is allowed to use broad tools, especially Bash, but the documented use is curl-based access to the Butter Router API, which fits the swap-quote purpose.

Skill content
allowed-tools:
  - Bash
  - Read
Recommendation

Use the skill for quotes and transaction payloads only after confirming the requested chain, token addresses, amount, slippage, receiver, contract address, value, and calldata in your wallet before signing.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Your wallet address, receiver address, token pair, chain IDs, amount, and intended swap parameters may be visible to the external routing service.

Why it was flagged

The skill sends swap-routing requests to an external Butter Router API. Other documented parameters include wallet addresses, token addresses, amounts, route hashes, and receiver addresses.

Skill content
BASE_URL=https://bs-router-v3.chainservice.io
Recommendation

Avoid using addresses or trade details you consider private, and verify that you trust the Butter Router endpoint before requesting transaction data.