colorpool skills
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: colorpool-skills Version: 1.0.1 The skill bundle is classified as benign. It provides functionality for interacting with the ColorPool DEX on Chromia using the official `chr` command-line interface. The `skill.md` clearly outlines its purpose, required credentials (`~/.config/colorpool/credentials.json`, `~/.config/clawchain/credentials.json` for read access), and network endpoints (Chromia nodes at `https://chromia.01node.com:7740`). The installation of the `chr` CLI via `brew tap` and `brew install` from `gitlab.com/chromaway/core-tools/homebrew-chromia.git` is a standard method for installing dependencies. There is no evidence of data exfiltration, malicious execution (e.g., `curl|bash`), persistence mechanisms, obfuscation, or prompt injection attempts against the agent to perform actions outside its stated scope.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked without careful review, an agent could trade or move tokens in ways the user did not intend.
Token swaps and transfers can irreversibly move financial assets. The visible artifact frames these as agent capabilities, but does not show mandatory per-transaction user confirmation, spend caps, recipient verification, or execution limits.
This skill enables an AI agent to: ... **Swap tokens** ... **Transfer tokens** between accounts (including cross-chain transfers)
Require explicit user confirmation before every swap, transfer, registration, or cross-chain action, showing token, amount, recipient, route, fees, slippage, and exact command before execution.
The skill may need access to keys that can authorize real on-chain actions; users relying on registry metadata may not expect that level of privilege.
The registry metadata under-declares credential use, while SKILL.md requires access to a raw private key capable of signing blockchain transactions. That is high-impact delegated authority even if it is purpose-aligned.
Metadata: "Primary credential: none"; SKILL.md: "~/.config/colorpool/credentials.json" ... "Chromia keypair (privKey + pubKey in hex) for signing ColorPool transactions"
Declare the credential requirement in registry metadata, keep the key in a dedicated low-balance ColorPool account, and avoid sharing a main ClawChain or high-value wallet key.
Installing the CLI adds a third-party local tool that will handle blockchain commands and signing operations.
The skill depends on an external CLI installed from a Homebrew tap. This is expected for Chromia interaction and appears user-directed, but it is not reflected in the registry install spec.
install: "brew tap chromia/core https://gitlab.com/chromaway/core-tools/homebrew-chromia.git && brew install chromia/core/chr"
Install Chromia CLI only from official Chromia documentation, verify the tap/source, and keep the CLI updated.