clawchain plugin for impossible finance
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the file is exposed or the agent signs an unintended transaction, funds in the wallet could be irreversibly lost.
A persistent private key gives whoever controls the agent or file signing authority over the funded wallet; the supplied artifact shows plaintext local storage but no encryption, spend boundary, or recovery controls.
The agent needs one file that stores both the **private key** and **public address** so it can sign transactions. Create it once and reuse it.
Use only a dedicated low-balance wallet, protect the wallet file, prefer encrypted or hardware-backed signing, and require explicit user approval for every transaction.
The agent could make costly or unintended swaps, interact with unsafe tokens, or spend more of the funded wallet than the user expected.
The skill grants broad mainnet trading capability across arbitrary tokens, while the supplied visible instructions do not define approval gates, token allowlists, spend limits, or slippage constraints.
This skill lets the AI agent create a BSC wallet ... swap tokens ... The agent is not limited to specific tokens — it can resolve token addresses and check which pairs have liquidity.
Require explicit confirmations, set maximum trade amounts and slippage limits, use token allowlists, and test with small amounts before funding the wallet.
A wrong or compromised dependency installation could affect wallet generation or transaction handling.
The skill relies on a manually installed npm package, and the registry has no install spec or lockfile. This is normal for an instruction-only Web3 skill, but users should verify the dependency source and version.
Prerequisite: Node.js 18+ with `ethers` (v6): ```bash npm install ethers ```
Install from trusted package sources, pin a specific ethers version, and use a lockfile or reviewed setup script where possible.