KaspaCom LFG MCP
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent DeFi launchpad skill, but it enables crypto buy/sell actions through an external global CLI without clear approval, wallet, or spending limits.
Review this carefully before installing. It is meant for crypto launchpad trading, so use only with explicit transaction approval, a limited wallet, and a verified version of the external CLI package.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incautiously, the agent or user could trigger token trades that move or lose funds.
These are raw CLI commands for buying and selling crypto launch tokens. The skill does not include surrounding instructions requiring explicit confirmation, spend limits, slippage limits, or a dry-run before executing transactions.
kaspacom-defi buyLaunchToken --token 0xTOKEN --amountIn 100 --network kasplex kaspacom-defi sellLaunchToken --token 0xTOKEN --amountIn 1000000 --network kasplex
Only use after confirming each transaction manually. Prefer a wallet or CLI configuration with limited funds, require explicit per-trade approval, and verify token address, network, amount, and slippage before execution.
Users cannot tell from the artifacts what account, wallet, or permissions the CLI will rely on when executing trades.
The registry declares no credential or configuration boundary even though SKILL.md describes launch-token trading. This leaves the wallet/account authority and signing mechanism unclear.
Required env vars: none; Env var declarations: none; Primary credential: none; Required config paths: none
Document the exact credential, wallet, network, and signing flow required. Use least-privilege wallets, test accounts, or explicit transaction prompts rather than broad unattended trading authority.
The installed package will provide the actual trading behavior, so any issue in that package could affect the user's environment or funds.
The skill depends on an external, globally installed npm package that is not included in the reviewed artifacts and is not pinned to a version. This is central to the stated CLI/MCP purpose, but users should verify provenance before using it for financial transactions.
npm i -g @kaspacom/defi-mcp
Verify the npm package publisher, version, source repository, and release integrity before installing; consider pinning a reviewed version.