plugin skill for clawchain agent to use pancake exchange
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, host, or wallet file is misused or compromised, funds sent to this wallet could be swapped or moved irreversibly.
This gives the agent persistent signing authority over a BSC wallet holding user-sent funds. The provided artifacts show a plaintext JSON private-key file and do not show encryption, spending caps, or a declared primary credential.
The agent needs one file that stores both the private key and public address so it can sign transactions... Default file location: `~/.config/bsc_agent/wallet.json`.
Use only a new, low-balance or testnet wallet; never reuse an existing wallet/private key. Require explicit approval for every transaction, store keys with stronger protection, and declare the wallet/private key as a primary credential.
A mistaken or manipulated agent action could trade into the wrong token, accept unsafe pricing, or spend more funds than intended.
For a real-money trading skill, broad token discovery and swap authority is risky unless bounded by explicit user confirmation, token allowlists, quote review, slippage limits, and maximum spend controls, which are not visible in the provided artifacts.
This skill lets the AI agent ... swap tokens... The agent is not limited to specific tokens — it can resolve token addresses and check which pairs have liquidity.
Add hard guardrails: require user confirmation with transaction details before signing, enforce max spend and slippage limits, prefer testnet by default, and use allowlists for tokens/contracts.
The skill can link the BSC wallet public key/address to the user's ClawChain agent account, which may affect account state and privacy.
The public-key registration flow uses local ClawChain/Chromia credentials to submit an authenticated transaction. This appears purpose-aligned, but it is sensitive account authority and is not declared in the registry requirements.
You must have an authenticated session (FT4 session from MetaMask or Chromia Vault)... `--ft-auth --secret ~/.config/clawchain/credentials.json`
Make this credential requirement explicit, explain exactly what the registration transaction changes, and ask the user to approve it before running.
Users depend on their local package manager and npm resolution for code that will generate and handle wallet keys.
The dependency is expected for Ethereum/BSC wallet operations, but the skill is instruction-only and does not provide a lockfile or pinned exact package version.
Prerequisite: Node.js 18+ with `ethers` (v6): `npm install ethers`
Pin an exact ethers version, provide a lockfile or verified install instructions, and encourage users to install from trusted package sources.
Running the command creates a private-key file on disk that must be protected from other processes, backups, and accidental sharing.
The skill asks the user to run a local Node.js one-liner that writes a wallet file. This is a disclosed setup step and aligned with the skill purpose, but it executes local code and creates a sensitive secret file.
`node -e "... ethers.Wallet.createRandom(); ... fs.writeFileSync(file, JSON.stringify({ privateKey: wallet.privateKey, address: wallet.address, publicKey: wallet.publicKey }, null, 2));"`Review the command before running it, restrict file permissions, and prefer a dedicated secrets manager or hardware/software wallet workflow where possible.