Cypher Factory Launchpad
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Ethereum trading plugin, but it combines real wallet-signing authority with autonomous transaction features and registry/dependency disclosure gaps that deserve review before use.
Use read-only mode unless you intentionally want the agent to trade. If enabling writes, use a dedicated wallet with limited funds, verify the resolved SDK package, set low TxGate limits and explicit confirmations, use dry-run for strategies, and monitor or stop any running autonomous strategy.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A model-initiated tool call or started strategy could make irreversible trades or other on-chain transactions up to the configured TxGate limits.
The tool surface can spend funds on Ethereum Mainnet and includes autonomous trading behavior, while human confirmation is configurable rather than mandatory.
With a wallet configured, the plugin can perform real on-chain transactions ... copy-trading, and autonomous strategies ... Confirm Above ETH | No | Confirmation ceiling; 0 disables the feature
Use a dedicated low-balance wallet, set conservative per-transaction and daily TxGate limits, enable a nonzero confirmation threshold where supported, and test strategies with dry-run mode first.
Users may not receive the expected credential warning before granting a wallet private key or keystore password that can authorize real Ethereum transactions.
The supplied registry credential summary does not surface the private-key or keystore credential path, even though the package documentation and manifest describe those credentials as enabling wallet signing for write operations.
Env var declarations: none ... Primary credential: none
The registry metadata should declare the optional primary credentials clearly; users should only provide credentials for a segregated wallet they are willing to let the agent trade from.
A user could underestimate what will run locally or how much authority the plugin has when installed.
This user-facing install summary conflicts with the provided package artifacts that declare executable Node plugin code. For a wallet-signing plugin, calling it instruction-only understates the runtime impact.
Install specifications No install spec — this is an instruction-only skill.
Treat this as an executable plugin, not an instruction-only skill, and verify the manifest, package entry point, and installed dependency versions before enabling wallet write mode.
Core transaction-signing behavior depends on an external package whose exact resolved code is not established by the provided package metadata.
The plugin imports the SDK for launchpad agent logic, wallet handling, transaction gating, and strategies, but the dependency is not pinned to a concrete reviewed version in this artifact.
"dependencies": {
"@cypherindustries/factory-sdk": "workspace:^"
}Install only from a trusted release channel, verify the resolved SDK package/version, and prefer lockfile or pinned-release provenance for production wallets.
After first use, the plugin may keep polling the token registry and appending audit logs while the host process remains active.
The plugin discloses startup initialization and recurring activity after first tool use. This is purpose-aligned but means it can continue polling/logging beyond a single prompt.
"activation": { "onStartup": true ... "backgroundActivityOnFirstToolInvocation": ["TokenRegistry 60s polling loop ...", "Audit-log JSONL writer at ~/.cypher/audit/ ..."] }Disable or unload the plugin when not needed, and stop any running strategy tools explicitly.
Local files may retain transaction history, strategy state, and an encrypted wallet artifact across restarts.
The plugin persists audit logs, state, and an encrypted wallet file. This is disclosed and aligned with the trading purpose, but persisted strategy/state data can affect later sessions.
"writePaths": ["~/.cypher/audit/", "~/.cypher-factory/state/", "~/.cypher-factory/agent-wallet.enc"]
Protect the host account and filesystem, review retained audit/state files, and remove the generated wallet/state if you stop using the plugin.