b402 Private DeFi
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s DeFi purpose is coherent, but it installs an unpinned MCP package that can use wallet private-key authority to move, swap, lend, and bridge funds without documented guardrails.
Only install this if you fully trust the npm package and are willing to give it DeFi transaction authority. Use a burner wallet with small funds, pin and verify the package version, review the generated Claude/MCP configuration, and require manual confirmation, quotes, limits, and recipient checks before any transaction.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, MCP server, or installed package is misused or compromised, funds controlled by the key or generated wallet could be moved through irreversible DeFi transactions.
The skill requires a private key and also creates a persistent wallet file; those credentials can authorize blockchain transactions controlling user funds.
requires:
env: [WORKER_PRIVATE_KEY] ... This generates a wallet at `~/.b402/wallet.json`Use only a dedicated low-balance wallet, never a main wallet key, and require explicit human confirmation and spending limits for every transaction.
A mistaken prompt or unsafe tool invocation could swap, lend, bridge, or send assets in ways that are difficult or impossible to reverse.
The exposed tools can mutate financial positions across pools, swaps, vaults, and bridges, including a multi-step strategy call, but the artifacts do not document safety gates or execution limits.
`shield_usdc` | Move USDC into the Railgun privacy pool ... `cross_chain_privately` | Private cross-chain transfer or swap ... `run_strategy` | Multi-step: swap + lend + reserve in one call
Require quotes before execution, explicit confirmation after quotes, slippage and amount limits, recipient allowlists, and clear logs for every transaction.
A changed or compromised future npm release could be installed and granted access to the same wallet/agent integration.
The install command runs the latest npm package and modifies the local agent configuration. In this high-impact wallet context, an unpinned package/version creates a material supply-chain risk.
npx b402-mcp@latest --claude ... patches your Claude Desktop config, and registers the MCP server
Pin and verify a specific package version, review the package source and checksums, and install only from a trusted environment.
A user may overestimate anonymity, cost behavior, or risk reduction when using privacy pools, bridges, and DeFi protocols.
The skill makes strong privacy and gasless-use claims without caveats in the artifact. These may be marketing claims, but users should not treat them as independently verified guarantees.
All private. All gasless. ... all gasless and untraceable ... Source and destination are unlinkable.
Verify protocol limitations, fees, legal/compliance implications, and privacy assumptions before funding or transacting.