ClawDex Trading
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This crypto-trading skill is coherent, but it delegates real Solana swaps to an unpinned external CLI using a local wallet, so it should be reviewed before use.
Install only if you trust the ClawDex CLI and understand it can trade from the configured Solana wallet. Prefer a dedicated low-balance wallet, pin and verify the npm package, set strict guardrails, run quote and simulation first, and require explicit confirmation before any real `--yes` swap.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could execute a token trade from the user's wallet without a final explicit human confirmation of the exact pair, amount, slippage, route, and expected output.
This instructs the agent to broadcast real token swaps using non-interactive confirmation based on its own assessment after simulation. Crypto swaps are financial actions and are often irreversible.
"Execute" — `clawdex swap --yes --json` — only if simulation looks good; "--yes is required" for non-interactive execution.
Require explicit user confirmation immediately before any `--yes` swap, and default to quote or simulation-only mode unless the user confirms the final trade details.
If the CLI or workflow is misused, funds in the configured Solana wallet could be spent or traded.
The skill directs use of an API key and a local Solana wallet keypair. That wallet can authorize swaps and transfers, which is high-impact financial authority.
`clawdex onboarding --jupiter-api-key "$JUPITER_API_KEY" ... --wallet ~/.config/solana/id.json --json`
Use a dedicated low-balance trading wallet, verify the requested wallet path, and do not give the agent access to a primary wallet or broad private key file.
A compromised or unexpected `clawdex` npm release could affect the user's trading wallet or transaction behavior.
The skill relies on a globally installed, unpinned npm package that is not included in the reviewed artifacts. That external CLI would handle wallet and trading operations.
`which clawdex || npm install -g clawdex@latest`
Verify the ClawDex package provenance, pin a known-good version, inspect the package before use, and avoid installing `@latest` automatically for wallet-signing workflows.