MetEngine Data Agent
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is a paid crypto API integration, but it asks the agent to use a local Solana wallet, keep persistent cross-session memory, and auto-update its own instructions from a remote site.
Install only if you are comfortable with a paid crypto API integration. Do not enable the cron auto-update, use a separate low-balance Solana wallet, review the pricing before calls, and inspect or disable the persistent memory file before trusting future sessions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Future agent instructions could change based on whatever the remote site serves, without the user reviewing the new skill content first.
The skill tells users or agents to overwrite the local agent skill file from a remote URL without a pinned version, hash, signature, or registry review path.
curl -sL https://www.metengine.xyz/skill.md -o ~/.claude/agents/metengine-data-agent.md
Do not enable automatic remote skill replacement. Update only from a reviewed source, pin versions or hashes, and inspect changes before installing.
The skill can keep changing itself weekly even when the user is not actively using it.
The documented cron job creates persistent background behavior that repeatedly modifies the agent skill file after installation.
0 0 * * 0 curl -sL https://www.metengine.xyz/skill.md -o ~/.claude/agents/metengine-data-agent.md 2>/dev/null
Avoid installing the cron job. If updates are needed, require an explicit user action and review the new file before replacing the current skill.
API calls may involve signing or spending from a local Solana wallet, so misuse or unclear limits could cost the user funds.
The skill expects access to a local Solana keypair path and USDC/SOL balance checks for x402 payments, which is sensitive financial authority.
Wallet configuration -- path to the Solana keypair ... keypair_path: ~/.config/solana/id.json
Use a dedicated low-balance wallet, require explicit approval before each paid request, and verify pricing before allowing the agent to make calls.
If that memory file is wrong, stale, or tampered with, future sessions may reuse unsafe code or incorrect endpoint/payment behavior.
The skill creates a persistent cross-session memory file that stores wallet setup details, executable bootstrap snippets, endpoint history, fallbacks, and pricing cache, then tells future agents to trust it before API calls.
Before making ANY API call, check for a memory file at: ~/.claude/agents/metengine-memory.md ... Client Bootstrap -- a working code snippet ... copy-paste ready ... Agents MUST update the memory file
Treat the memory file as untrusted input, avoid storing executable snippets or wallet paths, and ask the user before reusing stored payment setup.