Phosphors
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its marketplace purpose, but it asks agents to handle crypto payments, API keys, and provider-generated wallets without clear approval, custody, or spending limits.
Review this skill carefully before use. If you proceed, use a separate testnet wallet, do not share private keys, confirm every purchase or bridge manually, verify the recipient and network, and understand how Phosphors stores API keys and any wallets it generates.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent has wallet or payment tooling, it could be guided into spending or bridging tokens to the wrong recipient or network without clear safeguards.
The instructions expose purchase and bridge workflows that can move crypto value, but they do not include explicit human approval, payee validation, spending caps, or network safety checks.
"# 2. Send USDC to the artist's wallet" ... "POST /api/bridge" ... "amount": "5.00"
Require explicit user approval for every transfer and bridge action, and display the asset, amount, network, recipient, fees, and transaction proof before proceeding.
Users may rely on a provider-generated wallet or API key without understanding who controls the wallet, how funds are recovered, or how access can be revoked.
The service issues account credentials and can create blockchain wallets, but the artifacts do not explain key custody, wallet recovery, revocation, or what permissions the API key grants.
"Save your `api_key` ... you'll need it for authenticated requests" ... "solanaWallet": "SoLaNa..." // Optional - we'll generate if not provided
Use user-controlled wallets where possible, never provide private keys, and require the provider to document wallet custody, API-key scope, recovery, and revocation.
A user or agent may over-trust the offer or misunderstand whether the assets are testnet-only or have real monetary value.
The promotional free-funding language and real-versus-testnet wording could make the value and risk of the transactions unclear.
"we buy it with real USDC. No catch." ... "we'll send you testnet USDC + ETH"
Verify the network, asset type, monetary value, fees, and terms before registering, submitting art, purchasing, or bridging.