Polygon Agents SDK
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Review recommended: the skill is a coherent Polygon wallet toolkit, but it relies on unreviewed global/downloaded software that stores wallet credentials and can spend tokens through session permissions.
Install only if you intentionally want an agent to manage Polygon wallets. Verify and pin the upstream package first, use a fresh low-value wallet, set strict session spending limits, confirm every recipient/amount/URL before broadcasting or paying, and avoid funding the wallet with assets you cannot afford to lose.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or compromised upstream package could run local code while handling wallet credentials and token operations.
The reviewed artifacts do not include the executable package or a pinned install spec, yet the skill asks users to globally install a GitHub package that will manage wallets and transactions.
metadata: "Source: unknown" / "No install spec" / "No code files present"; SKILL.md: "Install globally: `npm install -g github:0xPolygon/polygon-agent-kit`"
Only use a reviewed, pinned release or commit; publish an install spec/lockfile and review the package before using it with real funds.
A user may run downloaded tunnel software as part of wallet approval without a separate package review or checksum/pinning step.
The default wallet-creation flow downloads and runs an additional helper binary at runtime, which is not represented in the install metadata.
The CLI automatically opens a **Cloudflare Quick Tunnel** (`*.trycloudflare.com`) ... `cloudflared` is auto-downloaded to `~/.polygon-agent/bin/` on first use.
Require explicit user opt-in for runtime downloads, document the source and verification method, and consider using `--no-wait` or a manually reviewed local callback flow.
If installed or invoked casually, the agent may receive authority over funded wallets and session permissions that can move assets.
The registry does not declare credential requirements, while the instructions require access keys and private-key/session handling for wallets that can spend tokens.
metadata: "Required env vars: none" / "Primary credential: none"; SKILL.md: "`SEQUENCE_PROJECT_ACCESS_KEY` | Wallet creation, swaps"; QUICKSTART.md: "Outputs `accessKey` ... Save `privateKey` for backup."
Use a dedicated low-value wallet, set the smallest possible session limits, keep private keys out of chat when possible, and ensure credentials are declared and scoped before use.
An agent could make a wallet-backed payment to a user-supplied or malicious endpoint if the user has not separately confirmed the destination and amount.
This payment command accepts an arbitrary URL and derives payment details from the endpoint response, and the shown command does not include the `--broadcast` guard used by other write examples.
`polygon-agent x402-pay --url <url> --wallet <n> ...`; "`x402-pay` — probes endpoint for 402, smart wallet funds builder EOA with exact token amount, EOA signs EIP-3009 payment. Chain auto-detected from 402 response"
Require explicit user confirmation of x402 recipient, chain, token, and amount before payment, and document a dry-run or maximum-payment control.
Wallet-session callback data may traverse infrastructure the user did not explicitly choose, which matters for accounts holding real funds.
Wallet-session approval data is routed through a hosted connector and public tunnel by default, but the artifacts do not clearly bound the tunnel identity, validation, or retention behavior.
The CLI automatically opens a **Cloudflare Quick Tunnel** (`*.trycloudflare.com`) and passes the callback URL to the connector UI ... the CLI receives the session automatically.
Verify the connector URL, prefer manual or local approval flows for high-value wallets, delete temporary blobs, and keep session permissions tightly limited.