CSPR.trade MCP
v1.1.0Trade on CSPR.trade DEX (Casper Network) — swaps, liquidity, and portfolio queries via the cspr-trade MCP server. Non-custodial — transactions are built remo...
⭐ 0· 78·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, and declared requirements align: the skill interacts with the CSPR.trade MCP server and optionally uses local signing keys (PEM/mnemonic) for transaction signing. The optional environment variables declared in SKILL.md are appropriate for a local signer and relate to the skill's purpose. Note: registry metadata in the manifest used placeholders ([object Object]) instead of rendering the env var entries, which is a packaging/encoding inconsistency but not a functional mismatch.
Instruction Scope
SKILL.md's instructions are narrowly scoped to building quotes, building transactions, asking for user confirmation, invoking a local signer (if configured), and submitting signed transactions to the MCP server. It explicitly instructs the agent not to configure or enable the signer and to require explicit user confirmation before signing. One claim — that private keys are 'never transmitted over the network or seen by the LLM' — is operationally plausible given a properly configured local signer, but this cannot be enforced by the instruction file alone; ensure your runtime does not expose env vars or files to the agent.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an installation perspective because nothing will be written to disk by the skill itself.
Credentials
All sensitive environment variables declared (CSPR_TRADE_KEY_PATH, CSPR_TRADE_KEY_PEM, CSPR_TRADE_MNEMONIC, CSPR_TRADE_NETWORK) are optional and explicitly described as only used for the optional local signer. The requested secrets are proportional to the optional functionality (local signing). The manifest display glitch ([object Object]) should be corrected to show the declared env vars clearly.
Persistence & Privilege
Skill is not always-enabled and is user-invocable. It requests no persistent system privileges, does not request system config paths, and does not attempt to modify other skills. Autonomous invocation is allowed (platform default) but not coupled with any elevated persistence in this package.
Assessment
This skill appears coherent for interacting with CSPR.trade and optional local signing, but take these precautions before installing/using it: 1) Do not paste private keys or mnemonics into chat — keep them in a local signer process or hardware wallet. 2) If you enable the 'local signer' option, verify the signer truly runs locally (check your MCP client config) and that the agent runtime does not have access to your environment variables or filesystem paths holding keys. 3) Confirm each signing operation manually when prompted; never allow automatic signing. 4) Verify the MCP server URL (https://mcp.cspr.trade) and, if possible, review the referenced GitHub repository to ensure the open-source server matches your security expectations. 5) Fix the manifest rendering issue before trusting automated tooling (the env var entries appear as [object Object] in the registry metadata). If you are unsure about exposing keys to any process, use a hardware wallet or only use read-only features (quotes, prices, portfolio checks).Like a lobster shell, security has layers — review code before you run it.
latestvk978z7k6rtntzf4djaq8qvaf2x83h2ht
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔁 Clawdis
Env[object Object], [object Object], [object Object], [object Object]