KaspaCom Lending MCP
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for KaspaCom DeFi lending, but it can initiate wallet-backed supply, borrow, and repay actions without documented approval, limits, or wallet-scope safeguards.
Review carefully before installing. This appears to be a legitimate instruction-only crypto lending helper, but it can guide an agent toward real DeFi transactions. Use read-only commands first, verify the npm package, connect only a limited wallet, and require manual confirmation for every supply, borrow, or repay action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a wallet or signer, an agent could help initiate financial transactions that affect collateral, debt, and liquidation risk.
These commands are high-impact DeFi transaction actions that can change a user's lending position, create debt, or move assets; the artifact does not include approval, limit, simulation, or confirmation guidance.
kaspacom-defi supply --token USDC --amount 500 --network igra kaspacom-defi borrow --token WKAS --amount 50 --network igra kaspacom-defi repay --token WKAS --amount max --network igra
Require explicit user confirmation for every transaction, show network/token/amount/fees/health-factor impact before execution, and default to read-only checks unless the user clearly requests a transaction.
Users may not understand what wallet authority the skill or CLI needs before using it for lending transactions.
The skill is flagged as requiring wallet capability, but the credential and configuration contract does not describe which wallet, signer, network, or permissions are needed.
Primary credential: none ... Capability signals: crypto; requires-wallet
Document the wallet/signing model, required permissions, supported networks, and safety checks. Use a limited wallet and require manual wallet approval for all state-changing actions.
Installing a global CLI gives that package code execution on the user's machine, and in this case it may interact with crypto lending workflows.
The skill relies on a globally installed external npm CLI whose implementation is not included in the supplied artifacts; this is expected for a CLI-based skill but important because it is used for wallet-backed DeFi actions.
npm i -g @kaspacom/defi-mcp
Install only from a trusted package source, verify the package identity and version, and consider using an isolated environment or wallet with limited funds.