ClawHub
Back to skill
v2.2.0

Silverback Defi

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:56 AM.

Analysis

This is a coherent user-invoked DeFi API skill, but using it may spend USDC, produce swap-signing data, and optionally install a third-party MCP package.

GuidanceBefore using this skill, confirm each paid x402 charge, use a limited wallet, avoid entering private keys or seed phrases, and never sign Permit2 or swap data until the wallet prompt has been independently verified. If you install the optional MCP server, review and pin the npm package first.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
Non-custodial Swap ($0.05)
Returns unsigned EIP-712 Permit2 data for client-side signing.

The skill does not show automatic signing or transaction submission, but it can produce wallet-signing data for swaps, which is financially sensitive if later signed by the user.

User impactIf a user signs unverified Permit2 or swap data, their wallet may authorize token movement according to the signed terms.
RecommendationTreat swap responses as proposals only; verify token addresses, amounts, spender, domain, route, and wallet prompts before signing.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
npm install -g silverback-x402-mcp

The optional MCP integration is installed globally from npm. That is a disclosed, purpose-aligned setup path, but it brings in third-party code not contained in this instruction-only skill.

User impactInstalling the optional MCP package could add executable code and tools to the user's local agent environment.
RecommendationReview the npm package and linked source, pin a trusted version where possible, and install in an isolated environment if using the MCP server.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Your agent handles payment using `@x402/fetch` or any x402-compatible client with its own wallet. Prices range from $0.001 to $0.10 per call.

The skill discloses wallet-backed USDC micropayments. This is purpose-aligned for a paid x402 DeFi API, but it means use can spend funds from a configured wallet.

User impactPaid endpoint calls can spend small amounts of USDC if an x402 wallet/payment client is configured.
RecommendationUse a dedicated low-balance wallet or spending limits, and confirm each 402 payment amount before allowing paid calls.