Sponge Wallet
WarnAudited by ClawScan on May 10, 2026.
Overview
This wallet skill is mostly coherent, but it gives an agent high-impact financial authority and includes trading, auto-payment, and checkout capabilities that are not clearly disclosed in the short description.
Review this skill carefully before installing. If you use it, prefer human-approved login or standard device registration, keep the wallet minimally funded, use testnet where possible, and require explicit confirmation for every transfer, swap, bridge, checkout, auto-payment, or trading action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is available, an agent could potentially initiate wallet operations through the remote API, including financially significant actions.
The skill delegates direct API use to the agent for a financial service. In the visible artifacts, this is not paired with mandatory confirmation, spending limits, or scoped safe workflows for high-impact actions.
This skill is **doc-only**. There is no local CLI. Agents must call the Sponge Wallet REST API directly.
Only use this skill if you understand the API permissions and can enforce explicit user confirmation, spending caps, allowlists, and review before transfers, swaps, purchases, or trades.
The agent may obtain persistent wallet API authority before the human owner has completed account claiming or approval.
For a wallet service, returning a live API key to the agent before human claim or approval is high-impact credential delegation. The visible instructions even label this mode as recommended.
**Agent-first** (`agentFirst: true`): agent receives the API key immediately, and the human can claim later.
Prefer the standard device flow where a human approves before the API key is issued, and avoid agent-first mode unless the wallet is testnet-only or tightly funded and allowlisted.
A user may install the skill expecting wallet balance and transfer management, without realizing it can also support purchases, auto-payments, and market trading.
The short description frames the skill as wallet management, but the visible endpoint list also includes automatic payments, prediction-market trading, and Amazon purchasing.
description: Manage crypto wallets, transfers, swaps, and balances via the Sponge Wallet API. ... POST /api/x402/fetch -> x402 fetch (auto-pay 402s) ... POST /api/polymarket -> Polymarket prediction market trading ... POST /api/checkout -> Amazon checkout (initiate purchase)
Update the description and user-facing guidance to clearly disclose all purchase, trading, and auto-payment capabilities before installation.