colorpool skills
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent ColorPool DEX skill, but it uses local blockchain private keys and can perform token swaps/transfers while the registry metadata under-declares those sensitive requirements.
Review this skill carefully before use. It appears aligned with ColorPool DEX trading, but it needs access to local signing keys and can move or trade tokens. Use a dedicated low-balance wallet, verify the Chromia CLI source, and require manual confirmation for every transaction.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked without careful review, an agent could trade or move tokens in ways the user did not intend.
Token swaps and transfers can irreversibly move financial assets. The visible artifact frames these as agent capabilities, but does not show mandatory per-transaction user confirmation, spend caps, recipient verification, or execution limits.
This skill enables an AI agent to: ... **Swap tokens** ... **Transfer tokens** between accounts (including cross-chain transfers)
Require explicit user confirmation before every swap, transfer, registration, or cross-chain action, showing token, amount, recipient, route, fees, slippage, and exact command before execution.
The skill may need access to keys that can authorize real on-chain actions; users relying on registry metadata may not expect that level of privilege.
The registry metadata under-declares credential use, while SKILL.md requires access to a raw private key capable of signing blockchain transactions. That is high-impact delegated authority even if it is purpose-aligned.
Metadata: "Primary credential: none"; SKILL.md: "~/.config/colorpool/credentials.json" ... "Chromia keypair (privKey + pubKey in hex) for signing ColorPool transactions"
Declare the credential requirement in registry metadata, keep the key in a dedicated low-balance ColorPool account, and avoid sharing a main ClawChain or high-value wallet key.
Installing the CLI adds a third-party local tool that will handle blockchain commands and signing operations.
The skill depends on an external CLI installed from a Homebrew tap. This is expected for Chromia interaction and appears user-directed, but it is not reflected in the registry install spec.
install: "brew tap chromia/core https://gitlab.com/chromaway/core-tools/homebrew-chromia.git && brew install chromia/core/chr"
Install Chromia CLI only from official Chromia documentation, verify the tap/source, and keep the CLI updated.