Crunch Coordinate
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for Crunch CLI use, but it can execute wallet-signed financial and account-changing commands without an explicit confirmation safeguard.
Install only if you intend to let an agent operate crunch-cli for Crunch/Solana workflows. Before any write or financial action, manually confirm the wallet, network, profile, amount, and target, and prefer dry-run or devnet testing first.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or ambiguous request could lead the agent to run a real staking, withdrawal, reward, drain, or competition-management transaction.
The skill maps natural-language phrases directly to CLI commands that can move funds or mutate protocol state, and the execution instructions do not require a confirmation, transaction preview, or dry run for those high-impact commands.
`deposit reward <name> <amount>` | `crunch-cli crunch deposit-reward "<name>" <amount>` ... `drain <name>` | `crunch-cli crunch drain "<name>"` ... `withdraw stake <amount>` | `crunch-cli staking withdraw <amount>` ... `4. **Execute** — Run command`
Require explicit user confirmation for every write or financial command, show wallet, network, amount, target, and expected effect first, and use `--dry-run` where supported before submitting transactions.
If the wrong wallet, network, or profile is used, the agent could sign transactions from an unintended account.
The skill expects access to a wallet keypair path so crunch-cli can sign on-chain transactions. This is purpose-aligned and the skill says not to read or display the key file, but it is still sensitive delegated authority.
`Solana Wallet Keypair` ... `A JSON file containing a Solana private key, used to sign transactions` ... `path referenced in ~/.crunch/config.json`
Use a dedicated low-balance wallet where possible, verify the active profile and network before each command, and provide only the wallet path, never the private key contents.
Installing the package gives external CLI code access to run locally and interact with the configured wallet and network.
The skill depends on a globally installed external npm package. This is disclosed and purpose-aligned, with user approval required, but the package code is not included in the reviewed artifacts.
`npm install -g @crunchdao/crunch-cli` ... `Only install @crunchdao/crunch-cli from the official npm registry` ... `Ask the user before installing`
Review the npm package source/provenance, install only from the official registry, and consider pinning a trusted version instead of installing an unpinned global package.