Sponge Wallet
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is available, an agent could potentially initiate wallet operations through the remote API, including financially significant actions.
The skill delegates direct API use to the agent for a financial service. In the visible artifacts, this is not paired with mandatory confirmation, spending limits, or scoped safe workflows for high-impact actions.
This skill is **doc-only**. There is no local CLI. Agents must call the Sponge Wallet REST API directly.
Only use this skill if you understand the API permissions and can enforce explicit user confirmation, spending caps, allowlists, and review before transfers, swaps, purchases, or trades.
The agent may obtain persistent wallet API authority before the human owner has completed account claiming or approval.
For a wallet service, returning a live API key to the agent before human claim or approval is high-impact credential delegation. The visible instructions even label this mode as recommended.
**Agent-first** (`agentFirst: true`): agent receives the API key immediately, and the human can claim later.
Prefer the standard device flow where a human approves before the API key is issued, and avoid agent-first mode unless the wallet is testnet-only or tightly funded and allowlisted.
A user may install the skill expecting wallet balance and transfer management, without realizing it can also support purchases, auto-payments, and market trading.
The short description frames the skill as wallet management, but the visible endpoint list also includes automatic payments, prediction-market trading, and Amazon purchasing.
description: Manage crypto wallets, transfers, swaps, and balances via the Sponge Wallet API. ... POST /api/x402/fetch -> x402 fetch (auto-pay 402s) ... POST /api/polymarket -> Polymarket prediction market trading ... POST /api/checkout -> Amazon checkout (initiate purchase)
Update the description and user-facing guidance to clearly disclose all purchase, trading, and auto-payment capabilities before installation.