ClawHub

impossible finance skills

v1.0.1

BSC (Binance Smart Chain) trading on Impossible Finance DEX — wallet creation, token swaps, pair discovery, and balance management.

0· 487·0 current·0 all-time
byKeti Yohannes@kj-script
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's declared functionality (wallet creation, token discovery, swaps, balance checks) matches the environment variables, files, and dependencies described inside skill.md. However, the registry-level metadata provided with the skill claims no required env vars/credentials while the embedded SKILL.md defines multiple required env vars, credential file paths, and dependencies — an internal inconsistency in packaging.
Instruction Scope
SKILL.md instructions stay within the stated scope: they read/write a wallet file under ~/.config/impossible_agent, optionally read an existing clawchain credentials file, call a BSC RPC endpoint, and use the Impossible Finance router/factory contracts. The instructions do not (in the visible portion) request arbitrary system-wide file access or exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. Dependencies are normal for the task (Node.js and the ethers npm package). There are no remote downloads from untrusted URLs or archive extraction steps in the manifest.
!
Credentials
The skill requires creating and reading a local wallet file containing private key material and may read an optional ClawChain credentials file from another skill's config path. That is functionally necessary for on-chain signing, but it is high-risk: storing private keys on disk and allowing a skill to read another skill's credentials increases attack surface and must be justified and protected (encryption, strict permissions). Also, the registry metadata failing to list these env/credential requirements reduces transparency.
Persistence & Privilege
The skill does not request permanent 'always:true' inclusion and doesn't declare modifications to other skills or system-wide agent settings. It persists a wallet file in a dedicated config path, which is expected for this functionality.
What to consider before installing
This skill legitimately needs a local wallet and BSC RPC access to sign and submit trades, but that requires handling your private key — which is very sensitive. Before installing: (1) confirm the skill's origin and trust the publisher (the registry metadata does not align with the embedded SKILL.md); (2) only use a dedicated, small-balance wallet for this skill and encrypt the wallet file at rest with strict file permissions; (3) review the full SKILL.md (including the Security section) to see how key encryption and confirmations are implemented; (4) be cautious about allowing any skill to read other skills' credential files (the clawchain path here is optional but could increase risk); and (5) if you need assurance, ask the publisher for a signed release, a code sample showing exactly how keys are handled, or run the wallet-creation scripts offline and inspect their output before giving the agent access.

Like a lobster shell, security has layers — review code before you run it.

latestvk9743y6tyjkk7ama38bfpkb1gh81dg00

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments