Poseidon OTC
Security checks across malware telemetry and agentic risk
Overview
Poseidon OTC appears to do what it says, but it gives an agent hot-wallet authority to make irreversible Solana token trades.
Only install this if you intentionally want an agent to operate a Solana OTC trading wallet. Use a small, dedicated burner wallet, require manual approval for every trade step, verify token mints and counterparties, and pin reviewed dependencies before using real funds.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with access to this skill could create, confirm, cancel, lock, or execute trades using funds in the configured wallet.
The skill is intended to let an agent automate financial trading operations. The artifacts do not show built-in spend caps or required human approval before high-impact trade actions.
### Autonomous Mode For fully automated execution with a dedicated wallet:
Require explicit user approval for every offer, confirmation, lockup, and swap execution; set strict token/amount/counterparty limits.
If the agent acts incorrectly or the key is exposed, assets in the burner wallet could be traded or lost.
The skill reads a private key from the environment and turns it into a Solana signing wallet, granting authority over any funds in that wallet.
burnerKey: process.env.POSEIDON_BURNER_KEY, ... this.wallet = Keypair.fromSecretKey(bs58.decode(this.config.burnerKey));
Use only a dedicated, minimally funded burner wallet; never use a primary wallet key; rotate the key after use and monitor wallet activity.
A user could be harmed if an agent trusts the wrong room, link, or counterparty update before approving a trade.
Agent-to-agent trading and live room updates are disclosed and purpose-aligned, but they can influence financial decisions, so counterparty identity and room state should be verified before signing.
Supports agent-to-agent trading with real-time WebSocket updates.
Verify room links, invite codes, wallet addresses, token mints, amounts, and on-chain state before allowing any signing or execution.
A dependency update could change behavior in a financial signing workflow.
The package uses caret-ranged dependencies, so future installs may resolve to newer dependency versions than those reviewed.
"@solana/web3.js": "^1.87.6", "@solana/spl-token": "^0.3.9", "bs58": "^5.0.0"
Install from a trusted source, review the full package, and pin or lock dependency versions before using with real funds.