pol-agents-sdk-demo
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Review before installing: this is a coherent Polygon wallet toolkit, but it under-declares high-impact wallet credentials and relies on unreviewed global/auto-downloaded code that could affect real funds.
Install only if you intend to run a real Polygon wallet agent. Use a separate low-value wallet, set strict session spend limits, verify the GitHub package and cloudflared binary before use, avoid broadcasting transactions until you have reviewed the dry-run output, and be aware that setup routes encrypted session approval through a hosted connector/Cloudflare tunnel.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the agent/CLI may hold wallet authority and can spend funds within the approved session limits.
The skill creates and uses wallet access keys, private keys, and spend-limited sessions that can authorize real token movement, while the registry metadata declares no primary credential, env vars, or config paths.
Outputs `accessKey` — needed for all wallet operations. Save `privateKey` for backup. ... `--native-limit <amt>` | Max POL the session can spend
Use a dedicated low-value wallet, set tight session limits, keep backups private, review/revoke sessions, and require the skill metadata to declare wallet credentials and storage paths.
A broadcast transaction can be irreversible and may transfer tokens or create on-chain records.
The CLI exposes high-impact operations such as send, swap, deposit, registration, and x402 payment, but the docs disclose a dry-run default and require an explicit broadcast flag for writes.
**Dry-run by default** — all write commands require `--broadcast` to execute
Preview transactions without --broadcast first and only broadcast after explicit user confirmation of recipient, amount, chain, and fees.
Unreviewed or changed upstream code would run locally with access to the wallet environment and stored sessions.
The artifact set contains no install spec or package code to review, and the documented install pulls a global executable from a GitHub source without a pinned commit or hash.
Install globally: `npm install -g github:0xPolygon/polygon-agent-kit`
Pin to a reviewed release or commit, verify the package source and integrity, and prefer an install spec that declares the dependency and required binaries.
A downloaded helper binary can execute locally and open network connectivity during the wallet approval flow.
The wallet creation flow can automatically download and run an additional tunnel executable that is not represented in the install metadata or reviewed artifacts.
No account or token required — `cloudflared` is auto-downloaded to `~/.polygon-agent/bin/` on first use.
Preinstall a verified cloudflared binary, check its source and version, or use the manual callback flow when automatic downloads/tunnels are not acceptable.
Wallet approval data and encrypted session material flow through third-party networking infrastructure during setup.
The wallet approval/session callback is routed through a public Cloudflare tunnel and hosted connector UI. The docs say the session is encrypted and the tunnel is temporary, but this is still a sensitive external data path.
The CLI automatically opens a **Cloudflare Quick Tunnel** (`*.trycloudflare.com`) and passes the callback URL to the connector UI. ... the CLI receives the session automatically.
Use only trusted connector URLs, verify the full approval URL before opening it, and choose the manual/local flow if third-party tunnels are not acceptable.