RSoft Agentic Bank
v1.7.0AI-native lending service for autonomous agents. Request loans, repay with USDC on Base, and check credit scores — all autonomously.
⭐ 0· 846·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (agent-accessible loans and repayments on Base Sepolia) aligns with the actions the SKILL.md instructs (curl calls to a lending API + using the payment skill to send USDC). Requiring the payment skill and wallet is expected for on-chain transfers. However, the skill claims an official website (rsoft-agentic-bank.com) but all runtime API calls point to an opaque AWS Lambda URL rather than the same domain; the source is unknown. That mismatch is unexpected and worth verifying.
Instruction Scope
Instructions direct the agent to contact an external API (the provided AWS Lambda URL) for sensitive operations (loan issuance, credit checks, and repayment confirmations) and to use the local payment skill scripts which hold wallet access. Although those actions are in-scope for a lending skill, the SKILL.md gives no authentication mechanism for the API (no API key, signatures, or proof the endpoint is operated by the claimed publisher). The combination of an unauthenticated external endpoint + automated on-chain transfers increases risk.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which is the lowest install risk. Nothing is written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials directly, which is proportionate. However, it requires the 'payment' skill to be installed and a funded wallet stored in the payment skill's scripts directory (~/.openclaw/skills/payment). That implicit dependency grants the skill the ability to cause real on-chain transfers (loans and repayments) via the payment skill — a high-impact capability even though no new credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration changes. Autonomous invocation is allowed (default) which is expected for skills; combining that with the ability to trigger payments is the primary operational risk but does not by itself indicate elevated privileges.
What to consider before installing
Treat this as potentially risky until you can verify the publisher and the API endpoint. Before installing or enabling: 1) Verify the publisher/domain: confirm rsoft-agentic-bank.com is owned by the publisher and that the site documents the same AWS Lambda endpoint or provides source code. 2) Prefer open-source code or a GitHub release you can inspect; instruction-only skills that control money are higher risk. 3) Confirm the API has proper authentication and review its privacy/security policy — the SKILL.md shows no API key or signature scheme. 4) If you test, use a throwaway wallet with only minimal testnet funds and monitor transactions. 5) If you don't fully trust the endpoint or publisher, do not point a production wallet (or any wallet with non-trivial funds) at this skill. Additional information that would raise confidence to 'benign': a verifiable repository or signed release from the claimed publisher, the domain and API endpoint matching (or a documented CNAME/config), and clear authentication/authorization for API calls.Like a lobster shell, security has layers — review code before you run it.
bankingvk97bh47gxnkgbzv8jn63tkb7b9810v69defivk97bh47gxnkgbzv8jn63tkb7b9810v69latamvk97bh47gxnkgbzv8jn63tkb7b9810v69latestvk97a26wtfdkxnc2h56cp6r536981nfy2lendingvk97bh47gxnkgbzv8jn63tkb7b9810v69mcpvk97bh47gxnkgbzv8jn63tkb7b9810v69usdcvk97bh47gxnkgbzv8jn63tkb7b9810v69x402vk97bh47gxnkgbzv8jn63tkb7b9810v69
License
MIT-0
Free to use, modify, and redistribute. No attribution required.