FXAI
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is not overtly malicious, but it can use a BNB wallet private key to approve and execute irreversible token creation and trading actions, with limited guardrails surfaced in the artifacts.
Review carefully before installing. If you use it, use a separate wallet with limited funds, verify every on-chain transaction before signing, confirm token/spender/contract addresses and amounts, avoid broad approvals, revoke allowances after use, pin trusted MCP/package versions, and upload only files intended to become public token metadata.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or MCP uses the wrong parameters, the configured wallet could sign transactions that move funds, create tokens, or approve token spending.
The skill depends on a wallet private key capable of signing blockchain transactions, while the provided registry requirements declare no required env vars or primary credential.
MCP `env` 中必须存在 `PRIVATE_KEY`,否则无法发送任何链上交易。
Use a dedicated low-balance wallet, verify every transaction manually, and ensure the registry/metadata clearly declares the PRIVATE_KEY requirement before installation.
A mistaken address, amount, spender, or percentage could cause irreversible trades or token approvals.
The skill instructs the agent to perform direct contract writes, token approvals, buys, and sells, but does not specify mandatory user confirmation, slippage limits, exact allowance policy, or rollback/revocation steps.
`write_contract` ... `createTokenWithQuote` ... 先授权 USDT(`approve_token_spending`)... `buyTokensByUSDT` ... `sellTokensByPercentToBNB`
Require explicit confirmation for contract address, token address, spender, amount/value, network, gas, and expected result; use exact approvals and revoke allowances when finished.
The selected image, description, website, and social links leave the local machine and are sent to Flap's upload service.
The upload script reads the user-specified local image and sends it with metadata to the disclosed Flap API endpoint.
const imageBuf = fs.readFileSync(imagePath); ... await axios.post(FLAP_UPLOAD_API, form,
Only provide files and metadata intended to be public token metadata; do not point the script at private or sensitive files.
Future package changes could affect the wallet-signing integration even if this skill's included scripts remain unchanged.
The documented MCP setup uses an unpinned `@latest` package for the component that will interact with the configured wallet key.
连接 BNB Chain MCP:`npx @bnb-chain/mcp@latest`
Pin and verify the MCP package version, install from a trusted source, and avoid sharing a high-value wallet key with unverified tooling.