Trails - pay with any token from any chain
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Trails integration guide, but it handles API keys and can generate blockchain transaction code that should be reviewed before use.
This skill appears safe to install as an instruction-only integration assistant, but treat it like a financial/Web3 integration: verify package sources, keep API keys scoped, never share wallet secrets, and manually review all generated transaction code before signing or deploying.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read project environment/config files to find a Trails API key before generating integration code.
The skill instructs the agent to inspect local environment/config files for API credentials. The search is scoped to Trails keys and is purpose-aligned, but credential discovery is sensitive.
Search for API key in: - `.env` files → `TRAILS_API_KEY` or `NEXT_PUBLIC_TRAILS_API_KEY` - Environment variables in the project - Configuration files
Confirm before allowing scans of .env/config files, use only Trails-specific keys, keep server keys out of client code, and never provide wallet private keys or seed phrases.
Generated code may initiate real blockchain transactions, swaps, payments, or contract executions after wallet/application signing.
The Direct API examples include committing and executing cross-chain intents, which can move funds or trigger destination-chain contract calls when paired with a valid signature.
const execution = await trails.executeIntent({ intentId: intent.intentId, ... signature: '0x...', // User's signature });Require explicit human review of chain, token, amount, recipient, calldata, slippage, and fees before signing or submitting transactions; test on testnets first.
A future package update could change integration behavior compared with what was reviewed at install time.
The skill recommends installing unpinned latest packages. This is common for integration docs but reduces reproducibility and increases dependency supply-chain exposure.
Installation commands (always use latest version: `@0xtrails/trails` or `@0xtrails/trails-api` without version pins)
Verify the npm package source and maintainer, pin versions in production, and use lockfiles/dependency review.
Trails receives API authentication plus wallet addresses and transaction details needed to quote and execute intents.
The examples send an API bearer token and wallet/transaction parameters to the Trails API. This is expected for Trails functionality, but it is still an external provider data flow.
'Authorization': `Bearer ${API_KEY}` ... body: JSON.stringify({ sourceChainId: 1, destinationChainId: 8453, amount: '1000000000', userAddress: '0xUserWalletAddress' })Do not include unrelated secrets in API requests or documentation searches; review Trails' privacy/security posture before sending production transaction data.