Defi Scout
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Defi Scout appears to be a read-only DeFi data helper, but it contacts external crypto APIs/RPCs and has an optional API-key/cache setup users should understand.
This skill is reasonable to install for read-only DeFi research if you are comfortable with the listed external providers. Do not provide private keys or seed phrases; this skill does not need them. Be aware that wallet checks reveal the queried public address to RPC providers, the CoinMarketCap sentiment script needs an optional API key, and cached sentiment data may be up to 24 hours old.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using wallet or Aave checks should expect their public wallet address to be queried through external RPC endpoints.
A user-supplied wallet address is sent to external Optimism/Base RPC providers to retrieve balances. This is purpose-aligned and disclosed, but it can link a wallet query to those providers.
const RPC = { optimism: 'mainnet.optimism.io', base: 'mainnet.base.org' }; ... rpc(host, 'eth_getBalance', [addr, 'latest'])Only query wallet addresses you are comfortable sending to the listed providers, or adapt the scripts to use your own trusted RPC endpoints.
If you use the CoinMarketCap sentiment feature, your CMC API key will be sent to CoinMarketCap as intended.
The sentiment script uses an environment API key for CoinMarketCap. This is expected for that provider, but the registry metadata declares no env vars or primary credential.
const CMC_API_KEY = process.env.CMC_API_KEY; ... 'X-CMC_PRO_API_KEY': CMC_API_KEY
Use a low-privilege/free-tier CMC key, set it only when needed, and consider updating metadata to declare the optional `CMC_API_KEY`.
Market sentiment output may come from a local cache rather than a fresh API request.
The script persists CoinMarketCap sentiment data in a local memory cache. The cached data is not user secret data, but it can be reused across later runs and may be stale.
const CACHE_FILE = path.join(__dirname, '../../../memory/cmc-cache.json'); const CACHE_TTL_MS = 24 * 60 * 60 * 1000; ... fs.writeFileSync(CACHE_FILE, JSON.stringify({ fetchedAt: Date.now(), data }, null, 2));Check or clear `memory/cmc-cache.json` if freshness matters, and align documentation with the actual 24-hour cache TTL.
The CMC sentiment script may fail or depend on whatever `dotenv` version is already present in the runtime.
The script imports the third-party `dotenv` package, but the provided install metadata has no install spec or dependency declaration. This may rely on an ambient package and can cause setup ambiguity.
require('dotenv').config({ path: require('path').join(__dirname, '../../../.env') });Declare and pin any required package dependencies, or avoid the dependency if the skill is meant to be install-free.