Grvt Markets
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly a high-risk crypto trading tool, but it relies on an unaudited community CLI that stores private keys/session credentials on disk and can place trades or withdraw funds.
Only install this if you are comfortable using an unaudited community trading CLI with credentials that can affect real funds. Start on testnet, use a dedicated low-balance account, confirm every order or withdrawal manually, avoid `--yes`, and rotate or revoke keys after use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised, malicious, or buggy package could leak keys, misuse the account, or cause financial loss.
The skill asks users to install a global, unpinned external npm CLI whose own documentation says it is unaudited and unofficial, while that CLI will handle trading credentials and funds.
`grvt-cli` is a community hobby project. It is NOT officially supported, endorsed, audited, or maintained by the GRVT team... Installation: `pnpm add -g @madeinusmate/grvt-cli`
Do not use production funds until you have verified the package source and version, reviewed the code, and tested on testnet. Prefer a pinned version and a machine/account with limited funds.
If the config file, API key, private key, or session cookie is exposed, an attacker or mistaken agent action could affect trades or funds.
The skill requires high-value financial credentials and a private key for account-changing operations, then persists those secrets locally.
This tool stores API keys and private keys in plaintext on disk... Login requires an API key. A private key is optional but required for write operations (orders, transfers, withdrawals, derisk).
Use a dedicated low-balance account, testnet first, and revoke/rotate keys after use. Avoid storing production private keys unless you understand the risk.
A wrong address, amount, or unattended command could lead to irreversible loss or unexpected fund movement.
The documented tool can move funds out to an Ethereum address and includes a confirmation-bypass flag, which is risky in an agent-driven workflow.
`grvt funds withdraw create` Withdraw funds from a sub-account to an Ethereum address. Requires a private key for EIP-712 signing. Prompts for confirmation unless `--yes` is passed.
Require explicit user confirmation of the exact destination, currency, amount, environment, and sub-account before any transfer or withdrawal. Do not let the agent use `--yes` for financial actions.
The reviewed skill contains no code, so the real behavior depends on the external CLI package installed at runtime.
Installing and running a global npm CLI is expected for this skill, but it still introduces executable code outside the reviewed artifact set.
Package: `@madeinusmate/grvt-cli` (npm). Binary: `grvt`. Requires Node.js >= 20. Installation: `pnpm add -g @madeinusmate/grvt-cli`
Install only from a verified source, pin the version where possible, and review the package before giving it credentials.