clawchain plugin for impossible finance
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill matches its DeFi trading purpose, but it asks the agent to control a persistent plaintext BSC wallet with real funds and broad swap authority.
Only install this if you are comfortable giving the agent control of a dedicated BSC hot wallet. Do not use an existing high-value wallet; fund it with small amounts, protect or encrypt wallet.json, verify the Impossible Finance contract addresses, pin dependencies, and require manual approval for each swap.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the file is exposed or the agent signs an unintended transaction, funds in the wallet could be irreversibly lost.
A persistent private key gives whoever controls the agent or file signing authority over the funded wallet; the supplied artifact shows plaintext local storage but no encryption, spend boundary, or recovery controls.
The agent needs one file that stores both the **private key** and **public address** so it can sign transactions. Create it once and reuse it.
Use only a dedicated low-balance wallet, protect the wallet file, prefer encrypted or hardware-backed signing, and require explicit user approval for every transaction.
The agent could make costly or unintended swaps, interact with unsafe tokens, or spend more of the funded wallet than the user expected.
The skill grants broad mainnet trading capability across arbitrary tokens, while the supplied visible instructions do not define approval gates, token allowlists, spend limits, or slippage constraints.
This skill lets the AI agent create a BSC wallet ... swap tokens ... The agent is not limited to specific tokens — it can resolve token addresses and check which pairs have liquidity.
Require explicit confirmations, set maximum trade amounts and slippage limits, use token allowlists, and test with small amounts before funding the wallet.
A wrong or compromised dependency installation could affect wallet generation or transaction handling.
The skill relies on a manually installed npm package, and the registry has no install spec or lockfile. This is normal for an instruction-only Web3 skill, but users should verify the dependency source and version.
Prerequisite: Node.js 18+ with `ethers` (v6): ```bash npm install ethers ```
Install from trusted package sources, pin a specific ethers version, and use a lockfile or reviewed setup script where possible.