Polygon Agents SDK
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Review before installing because this crypto-wallet skill relies on unpinned external code and an auto-downloaded tunnel tool to manage wallet sessions and funds.
Install only if you trust the upstream Polygon Agent Kit source. Pin or review the exact code before use, consider avoiding the auto-tunnel flow, set very low session spending limits, keep private keys out of chat, and verify every recipient, amount, chain, and approval URL before broadcasting transactions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the upstream package changes or is not the code the user expects, it could run with local user privileges while managing crypto wallet sessions and funds.
The artifact is instruction-only, so this unpinned global GitHub install is the real executable supply chain for code that will handle wallet credentials and transactions.
- Install globally: `npm install -g github:0xPolygon/polygon-agent-kit`
Review and pin the exact upstream version or commit before installing, prefer a trusted release source, and test in an isolated environment with minimal funds.
A downloaded helper binary may run on the local machine and open a public tunnel for the approval callback.
The default wallet approval flow downloads an external tunneling executable. This is disclosed and purpose-aligned, but it adds an executable/provenance surface outside the skill artifact.
cloudflared is auto-downloaded to `~/.polygon-agent/bin/` on first use.
Use a verified cloudflared install or the manual `--no-wait` flow if you do not want automatic helper downloads and tunneling.
Using `--broadcast` with the wrong recipient, amount, chain, or contract could move or lock funds permanently.
The CLI can execute token transfers, swaps, and deposits when broadcast. The docs state dry-run is default, so this is expected, but the actions are financially irreversible.
`send --to <addr> --amount <num> [--symbol <SYM>] [--broadcast]` ... `swap ... [--broadcast]` ... `deposit ... [--broadcast]`
Preview without `--broadcast` first, then broadcast only after the user confirms the exact recipient, token, amount, chain, and contract.
Exposure or misuse of the private key, access key, or wallet session could let someone act as the wallet or spend allowed funds.
The setup flow involves private keys and provider access keys. This is expected for wallet creation, but these credentials can authorize sensitive account and wallet activity.
→ save privateKey (not shown again), eoaAddress, accessKey
Do not paste private keys into chat, use least-privilege session limits, keep only small funded amounts in the agent wallet, and protect the local credential directory.
Session approval traffic depends on external connector and tunnel infrastructure, so users must ensure they are approving the intended wallet session.
Wallet approval uses an external tunnel and connector callback path. This is disclosed and purpose-aligned, but it is a sensitive session-approval data boundary.
The CLI automatically opens a **Cloudflare Quick Tunnel** (`*.trycloudflare.com`) and passes the callback URL to the connector UI.
Verify approval URLs, use fresh links only, avoid sharing them broadly, and prefer manual/local callback modes if the tunnel boundary is not acceptable.