Credit Mastery
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a real wallet private key is exposed or mishandled, funds or token-launch authority could be lost.
The skill shows a workflow that sends a Solana wallet private key in an API request for token launch. This is high-impact financial credential use, while the registry declares no primary credential or required environment variable.
"private_key": "[1,2,3,...]" # Solana wallet private key
Do not use a main wallet private key. Prefer a disposable/testnet wallet, confirm the destination and transaction manually, and only provide keys through a trusted wallet-signing flow if possible.
A mistaken request could spend funds and create a public blockchain/marketplace artifact.
The skill documents a public/financial action that can create a marketplace listing and launch a Solana token. This is disclosed and purpose-aligned, but it is high-impact and should not be executed without explicit user confirmation.
Creates agent listing + launches Solana token in single request. ... Cost: ~0.04 SOL per token launch
Require explicit confirmation before token launch, verify all token details, and test with low-value or testnet wallets first.
Autonomous sub-agents may perform more steps, incur more provider usage, or produce outputs without close supervision.
The skill documents autonomous sub-agent creation and fire-and-forget delegation. This is central to multi-agent orchestration, but it can continue work outside a simple single-response interaction if not bounded.
max_loops: "auto" (enables autonomous agent loop) ... wait_for_completion: false — fire-and-forget
Use bounded loop counts where possible, restrict selected tools, avoid fire-and-forget for sensitive tasks, and review planned sub-agent actions before execution.
Prompts, tasks, or credentials could be exposed to an MCP server if the server is untrusted or misconfigured.
The skill documents connecting agents to arbitrary MCP servers with authorization headers. This is purpose-aligned for tool integration, but it creates a trust boundary with external tool servers.
"mcp_config": { "url": "https://your-mcp-server.com", "headers": {"Authorization": "Bearer ..."} }Only connect to trusted MCP servers, use least-privilege tokens, and avoid sending sensitive data unless the server identity and permissions are clear.
A user looking for a credit-related skill could accidentally install a multi-agent/Solana integration guide.
The skill front matter names the skill "swarms-ai", while the registry entry is named "Credit Mastery" with slug "credit-mastery". The description matches Swarms, but the name mismatch can confuse users about what they are installing.
name: swarms-ai
Rename or republish the skill so the registry name, slug, and SKILL.md name all match the actual Swarms API purpose.