SHLL Safe Execution
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is for crypto trading, but it gives the AI a wallet key and broad financial execution tools through an external npm package that was not included for review.
Install only if you understand the DeFi and private-key risks. Use a newly generated operator wallet with minimal BNB for gas, never a main or owner wallet, verify the npm package and contract addresses, set strict on-chain policies, and require manual approval for any trade, transfer, raw calldata, or batch execution.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad instruction, mistaken agent action, or unsafe calldata source could cause policy-approved trades or transfers involving the user's vault assets.
These are broad financial write tools, including a raw-calldata escape hatch and batch execution, which can mutate on-chain assets if the AI issues an approved call.
`transfer` | Write | Send BNB or ERC20 from vault ... `execute_calldata` | Write | Execute raw calldata from any source through PolicyGuard ... `execute_calldata_batch` | Write | Execute multiple calldata actions atomically through PolicyGuard
Require explicit user confirmation for every write transaction, disable or tightly restrict raw calldata tools by default, and configure strict spending, receiver, protocol, and cooldown policies before use.
If the npm package or installed binary is compromised or differs from the documentation, it could misuse the operator wallet or execute unintended financial actions.
The skill relies on globally installed external executable code to handle private keys and transactions, but the supplied review artifacts contain no package code or install specification for that executable.
npm install -g shll-skills ... This installs two binaries: `shll-run` ... `shll-mcp`
Review and pin the exact package version, verify the repository and package provenance, and only run it with a purpose-built wallet holding minimal gas funds.
Anyone or anything that can access that key or the configured agent tooling may be able to spend gas and perform policy-approved actions.
The skill intentionally delegates a crypto wallet private key to the AI-operated tooling for write operations.
`RUNNER_PRIVATE_KEY` | Yes for write ops and agent-linked reads | Operator wallet key (~$1 BNB for gas)
Never use a main wallet or owner wallet; generate a dedicated operator key, keep only minimal BNB for gas, and rotate the key if it may have been exposed.
Users could over-trust the protection claims and give the tool more authority or funds than they can afford to risk.
The docs make strong safety assurances that may be true if contracts and policies are configured correctly, but those assurances are not independently verifiable from the supplied executable artifacts.
Even if this key is compromised, on-chain PolicyGuard limits the operator to policy-approved trades only it cannot withdraw vault funds or transfer the Agent NFT.
Treat the policy protections as a defense-in-depth control, not a guarantee; verify the contract addresses, policy settings, and installed package before funding or trading.