Gensyn Delphi Skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Delphi trading skill, but it can use wallet signing credentials to execute irreversible on-chain trades, approvals, and bridges, so users should confirm every transaction carefully.
Install this only if you intend to let OpenClaw help interact with Delphi markets. Use testnet first, use a dedicated wallet with limited funds, do not paste secrets into chat, keep .env private, review the full transaction scripts before using real funds, and require explicit confirmation before any buy, sell, bridge, redeem, liquidate, or token-approval action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with a funded wallet, the skill can spend tokens, sell positions, redeem or liquidate positions, approve token allowances, or bridge assets.
The skill clearly documents tools that can sign on-chain transactions and change balances, positions, or allowances. This matches the trading purpose, but it is financially high impact.
execute buy and sell transactions (with automatic token approval and slippage protection) ... redeem winnings ... manage ERC-20 token allowances
Before any transaction, confirm the exact network, wallet, market, outcome, token amount, slippage limit, bridge destination, and approval amount; prefer finite approvals and small test transactions.
A compromised or misused wallet private key or CDP wallet credential could authorize real transactions from the user's wallet.
The bundle requires API access and wallet signing credentials. These are expected for a market-trading skill, but they are powerful credentials.
"DELPHI_API_ACCESS_KEY", "WALLET_PRIVATE_KEY", "CDP_API_KEY_ID", "CDP_API_KEY_SECRET", "CDP_WALLET_SECRET", "CDP_WALLET_ADDRESS"
Use a dedicated low-balance wallet, never paste secrets into chat, keep the .env file private, rotate or revoke credentials if exposed, and use mainnet only when explicitly intended.
A malicious or unexpectedly changed dependency could affect scripts that prepare or sign transactions.
The skill depends on external npm packages with ranged versions. That is normal for this Node-based workflow, but dependency changes matter more because the scripts can use wallet signing credentials.
"@gensyn-ai/gensyn-delphi-sdk": "^1.0.0", "dotenv": "^16.4.0", "viem": "^2.21.0"
Install from the intended repository, review or generate a lockfile, pin dependency versions for real-funds use, and run in an isolated project directory.
A user relying only on the registry summary could be surprised that the skill needs API and wallet signing credentials.
The registry summary under-declares credential requirements compared with the bundle and SKILL.md. The credentials are disclosed elsewhere, so this is a metadata clarity issue rather than hidden behavior.
Required env vars: none ... Primary credential: none
Treat the bundle and SKILL.md credential requirements as authoritative, and the publisher should update registry metadata to reflect the required secrets.