ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KaspaCom DeFi MCP

v0.1.0

Use KaspaCom DeFi MCP or CLI to query and transact across KaspaCom DEX, Lending, and LFG Launchpad on IGRA and Kasplex mainnet/testnet. Trigger when the user...

0· 73·0 current·0 all-time
by@marciano147

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for marciano147/kaspacom-defi-mcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "KaspaCom DeFi MCP" (marciano147/kaspacom-defi-mcp) from ClawHub.
Skill page: https://clawhub.ai/marciano147/kaspacom-defi-mcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install marciano147/kaspacom-defi-mcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install kaspacom-defi-mcp
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md behavior (querying and transacting on KaspaCom, performing swaps/lending/launchpad actions) matches the name/description — those actions legitimately require network access and a wallet key for writes. However the skill metadata declares no required env vars/credentials while the runtime instructions explicitly reference MCP_WALLET_KEY, an inconsistency that should be resolved.
Instruction Scope
The instructions stay within the DeFi/CLI domain: they show an npm install, how to start a local MCP server, how to pass MCP_WALLET_KEY for write actions, and recommend testnets. The instructions do not request unrelated files or other system secrets. They do, however, instruct executing code from a package you cannot verify from the registry data.
!
Install Mechanism
The SKILL.md tells users to run `npm i -g @kaspacom/defi-mcp` and `node dist/mcp/index.js`. Installing and executing a global npm package is moderate risk—acceptable for this use-case if the package origin is trustworthy. Here there is no homepage/source provided in the registry metadata, so the package origin and contents cannot be audited from the registry data, increasing risk.
!
Credentials
Write actions require a wallet private key (MCP_WALLET_KEY) per the instructions. The registry metadata, however, lists no required environment variables or primary credential. Requiring a private key is reasonable for transaction capability, but the omission in metadata is a meaningful mismatch and the practice of putting a private key in an env var should be considered sensitive and handled with caution.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request elevated platform privileges. Installing a global npm package modifies the system (binaries on PATH) which is normal for a CLI but is a persistence footprint the user should accept explicitly. There's no indication the skill attempts to modify other skills or system-wide agent configs.
What to consider before installing
This skill appears functionally consistent with a KaspaCom DeFi CLI/MCP but has two red flags: the runtime tells you to install and run an npm package (which will execute code on your machine) and to supply MCP_WALLET_KEY, yet the registry lists no source/homepage and no required env vars. Before installing: 1) Ask the publisher for the package source (npm page and GitHub repo) and verify checksums and release authenticity. 2) Inspect the package code (or have it reviewed) before running, especially dist/mcp/index.js. 3) Never use your mainnet private key in an env var; use a testnet or ephemeral wallet with minimal funds and consider a hardware wallet or signing proxy. 4) Prefer running the package in an isolated environment (container or VM) until you trust it. 5) Request that the skill metadata be updated to declare MCP_WALLET_KEY as a required credential and include a homepage/source. If the publisher cannot provide verifiable source code or a reputable package listing, avoid installing it on sensitive hosts.

Like a lobster shell, security has layers — review code before you run it.

defivk979h8jammgz2762hrvzx9x3g984rb34kaspavk979h8jammgz2762hrvzx9x3g984rb34latestvk979h8jammgz2762hrvzx9x3g984rb34mcpvk979h8jammgz2762hrvzx9x3g984rb34
73downloads
0stars
1versions
Updated 1w ago
v0.1.0
MIT-0
@marciano147
defikaspalatestmcp
Download

KaspaCom DeFi MCP

KaspaCom DeFi MCP exposes KaspaCom DeFi through a single MCP server and CLI.

Supports

  • DEX: pairs, prices, swaps, add/remove liquidity
  • Lending: markets, positions, supply, borrow, repay
  • LFG Launchpad: active launches, buy/sell launch tokens
  • Networks: igra, igra-testnet, kasplex, kasplex-testnet

Install

npm i -g @kaspacom/defi-mcp

Start MCP server

MCP_NETWORK=igra node dist/mcp/index.js

With wallet:

MCP_WALLET_KEY="0x..." MCP_NETWORK=igra node dist/mcp/index.js

CLI

kaspacom-defi --help

Good use cases

  • "Show me all KaspaCom DEX pairs on Kasplex"
  • "Get my lending health factor on IGRA"
  • "List active LFG launches"
  • "Buy a launch token with 100 KAS"
  • "Get protocol info across networks"

Notes

  • Read-only tools work without a wallet.
  • Write actions require MCP_WALLET_KEY.
  • Use igra-testnet or kasplex-testnet for safe testing first.

Comments

Loading comments...