Use Smart Contract Platform
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Circle smart-contract integration, but it needs careful review because it uses powerful Circle wallet credentials and can trigger irreversible on-chain actions.
Install only if you intend to let the agent work with Circle Smart Contract Platform. Prefer testnet or sandbox credentials, pin SDK versions, and never hand over production Circle API keys or entity secrets without strict need. Treat every deploy, mint, airdrop, or contract write as irreversible: manually confirm the network, wallet, contract address, ABI signature, parameters, recipients, and fees before execution.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If production Circle credentials are provided, the agent may have access needed to deploy contracts or initiate wallet-backed contract transactions.
These credentials can authorize Circle Smart Contract Platform and Developer-Controlled Wallet actions. The registry metadata declares no required env vars or primary credential, so the sensitive permission boundary is under-declared.
CIRCLE_API_KEY= # Circle API key ... ENTITY_SECRET= # Registered entity secret for Developer-Controlled Wallets
Use sandbox or testnet credentials where possible, restrict keys to the least privilege available, do not provide production entity secrets unless necessary, and require explicit user approval before any wallet write or deployment.
A wrong or unintended write call could mint tokens, change contract state, spend fees, or perform irreversible blockchain actions.
The skill documents raw ABI-based write execution through a wallet. Such calls can invoke arbitrary contract functions and spend gas, but the artifacts do not define approval checks, chain restrictions, or parameter validation safeguards.
Write calls require `walletId` and gas fee settings. ... walletClient.createContractExecutionTransaction({ ... abiFunctionSignature: "safeMint(address,uint256)" ... })Before using write features, verify the chain, contract address, ABI signature, parameters, wallet ID, fee level, and recipient, and require a human confirmation step for every deploy, mint, airdrop, or contract write.
Contract event notifications may be sent to an endpoint you control; if that endpoint is insecure, event data or webhook handling could be exposed or spoofed.
Webhook monitoring is purpose-aligned, but it creates an external data flow to a public endpoint and the artifact does not discuss webhook authentication, signature verification, or endpoint access controls.
- A public HTTPS webhook endpoint that accepts POST ... Use this flow to receive webhook notifications when a contract emits specific events
Use HTTPS endpoints with authentication or signature verification, log only what is needed, and confirm which Circle webhook destination is configured before enabling monitors.
Installing packages from npm can execute package lifecycle code and future package versions may differ from what the skill author tested.
The skill relies on user-installed npm packages. This is expected for the stated SDK integration, but versions are not pinned and no lockfile or install spec is provided in the artifacts.
npm install @circle-fin/smart-contract-platform @circle-fin/developer-controlled-wallets
Install from the official npm registry, pin package versions, use a lockfile, and review package provenance before using production credentials.