ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KaspaCom Lending MCP

v0.1.0

Use KaspaCom Lending through the KaspaCom DeFi MCP/CLI for market discovery, position checks, and lending actions like supply, borrow, and repay on IGRA and...

0· 71·0 current·0 all-time
by@marciano147

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for marciano147/kaspacom-lending-mcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "KaspaCom Lending MCP" (marciano147/kaspacom-lending-mcp) from ClawHub.
Skill page: https://clawhub.ai/marciano147/kaspacom-lending-mcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install kaspacom-lending-mcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install kaspacom-lending-mcp
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and examples show read-only queries and on-chain transactions (supply/borrow/repay). However, the skill declares no required credentials, wallet/private-key inputs, RPC endpoints, or config paths — all of which are normally necessary to perform blockchain transactions. The skill also has no homepage or source URL, making it harder to verify the requested package.
!
Instruction Scope
SKILL.md explicitly tells the agent to run 'npm i -g @kaspacom/defi-mcp' and to invoke CLI commands that perform transactions. Those transaction commands will require signing keys or other authentication, but the instructions do not explain how keys are supplied, where secrets are stored, or what network endpoints are used. The instructions thus ask the agent to perform disk/network actions without describing required secrets or safeguards.
!
Install Mechanism
The skill is instruction-only but instructs a global npm install of a scoped package (@kaspacom/defi-mcp). Installing a global npm package executes third-party code on the host — a moderate risk. The skill metadata contains no formal install spec and provides no package registry/source verification, homepage, or repository link to validate the package.
!
Credentials
No environment variables, credentials, or config paths are declared, yet the skill's transaction examples require private-key access or wallet integration. That absence is disproportionate and ambiguous: either the CLI magically has access to signing material (not stated) or the skill expects the agent to obtain/store secrets in unspecified ways.
Persistence & Privilege
The skill does not request persistent elevated privileges (always:false) and is user-invocable. It does, however, instruct installing a global package which will persist on disk — this is part of the instruction set rather than metadata-declared persistence.
What to consider before installing
This skill asks you to globally install an npm CLI and shows transaction commands but provides no source link or explanation of how private keys/signing are handled. Before installing or using it: 1) Verify the package (@kaspacom/defi-mcp) on npm and find its repository/homepage; review the code or maintainers. 2) Ask the publisher how the CLI obtains signing keys (env vars, keystore, hardware wallet, or prompts). Do not supply private keys to an unverified package or agent. 3) Prefer running any install in an isolated environment (container/VM) and audit the package for network calls and credential handling. 4) If you want read-only use, confirm that you can run queries without exposing secrets. 5) Decline or treat cautiously until the author provides provenance (package page, repository, and docs) and clarifies auth mechanisms.

Like a lobster shell, security has layers — review code before you run it.

kaspavk97591t1jbdcv9xfq1eqjweg0x84r1belatestvk97591t1jbdcv9xfq1eqjweg0x84r1belendingvk97591t1jbdcv9xfq1eqjweg0x84r1bemcpvk97591t1jbdcv9xfq1eqjweg0x84r1be
71downloads
0stars
1versions
Updated 2w ago
v0.1.0
MIT-0
@marciano147
kaspalatestlendingmcp
Download

KaspaCom Lending MCP

Focused skill for KaspaCom lending via MCP/CLI.

Install

npm i -g @kaspacom/defi-mcp

Read-only examples

kaspacom-defi getMarkets --network igra
kaspacom-defi getPosition --address 0xYOUR_WALLET --network igra

Transaction examples

kaspacom-defi supply --token USDC --amount 500 --network igra
kaspacom-defi borrow --token WKAS --amount 50 --network igra
kaspacom-defi repay --token WKAS --amount max --network igra

Best for

  • Market snapshots
  • Wallet lending positions
  • Health factor checks
  • Collateral and borrowing flows
  • AI-agent access to KaspaCom lending

Comments

Loading comments...