Near Dca
WarnAudited by ClawScan on May 10, 2026.
Overview
This NEAR DCA skill is purpose-aligned, but it needs review because it asks for wallet-key authority, can run scheduled purchase logic, and the included code appears to fabricate transaction success rather than performing real DEX trades.
Install only if you are comfortable reviewing experimental financial automation. Use a dedicated low-balance NEAR account, avoid plaintext private keys, disable or carefully gate the scheduled trigger, and verify that the code performs real on-chain transactions before relying on purchase or performance reports.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You could rely on fake purchase history or performance data and mistakenly think your DCA strategy is actually buying NEAR.
The code uses mock prices and generates a random transaction hash, yet the docs present the skill as executing real DEX purchases. This can make users believe a trade happened when no on-chain transaction was performed.
async fetchFromCoingecko(id) { // Mock implementation - in production, use actual API return 6.50; } ... const txHash = crypto.randomBytes(32).toString('hex'); ... success: trueTreat this as experimental until it verifies real on-chain transaction receipts from NEAR/DEX APIs and clearly labels any simulation or mock mode.
If the key is stored insecurely, over-scoped, or misused, funds in the wallet could be traded or moved.
The skill asks for a NEAR account private key for automated mainnet trading, while the supplied registry metadata declares no primary credential. A wallet private key is high-impact authority.
account_id: your-account.near private_key: your-private-key # Or use secure credential storage
Do not place a main wallet private key in plaintext config. Use OpenClaw credential storage, a dedicated low-balance wallet, and preferably a tightly scoped NEAR access key.
A mistaken or stale strategy could keep executing or recording executions without you reviewing each run.
The skill can automatically run purchase logic every 5 minutes for due strategies. Financial automation is expected for DCA, but the artifacts do not show per-purchase approval, required end dates, or hard spend limits.
triggers:
- type: schedule
name: dca-executor
...
schedule: "*/5 * * * *"
action: execute-scheduled-purchasesOnly enable scheduling after reviewing each strategy, setting explicit end dates/spend limits, and confirming whether the code performs real trades or simulations.
You may run package installation and local Node code that were not obvious from the registry requirements summary.
The README expects local Node package installation even though the registry says there is no install spec. This appears purpose-aligned, but the installation/runtime requirements are not fully surfaced in metadata.
cd C:\Users\Shai\.openclaw\skills\near-dca npm install
Review package.json/package-lock and the included source before installing; install only from a trusted source.
Anyone with access to the storage file may see your DCA strategy, amounts, and execution history.
The skill stores financial strategy and execution history locally. This is purpose-aligned, but the data may reveal investment behavior.
All strategy data and execution history is stored in a JSON file at `./data/dca_state.json`.
Keep the storage path private, avoid synced/shared folders unless intended, and protect backups containing this file.