RSoft Agentic Bank
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill openly uses an external lending API and a Base Sepolia payment wallet, so it appears purpose-aligned but should be used only with a dedicated testnet wallet.
Install this only if you intend to use RSoft's Base Sepolia testnet lending workflow. Use a fresh testnet wallet, verify the official website and Lambda API endpoint, inspect the separate payment skill, and confirm repayment address and amount before allowing the agent to run payment commands.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following the workflow could move testnet USDC from the configured wallet.
Repayment uses a local payment tool to transfer USDC to the address and amount returned by the bank API. This is central to the skill's purpose, but it is still a value-transfer action.
~/.openclaw/skills/payment/scripts/pay --to <pay_to> --amount <repayment_amount>
Use a dedicated Base Sepolia wallet with limited test funds and verify the recipient address and repayment amount before running the payment step.
The agent may be able to use the configured payment wallet for the documented testnet loan and repayment actions.
The skill depends on delegated wallet/payment capability. That is expected for a lending and repayment workflow, but it is still privileged account-like access.
Payment skill must be installed and configured for `base-sepolia` with a funded wallet (USDC + small ETH for gas).
Do not connect a valuable wallet; keep this limited to a separate testnet wallet and review the payment skill separately.
A user may not realize from registry metadata alone that using the skill requires installing and trusting another payment-capable skill.
The skill discloses a dependency on curl and the payment skill, while the supplied registry requirements say no required binaries or credentials. This is an under-declared dependency, not hidden code.
requires:
bins:
- curl
skills:
- paymentInspect and trust the payment skill before installing or using this workflow.
The external service can associate your wallet address with credit checks, loan requests, and repayment confirmations.
The workflow sends the wallet address, loan identifiers, and transaction hashes to an external provider API. This is expected for the service, but it links wallet activity to the provider.
Use the `address` field as your `agent_id` in all bank commands.
Use a dedicated testnet wallet and verify that the AWS Lambda endpoint is the intended RSoft service before sharing wallet-linked data.