Oasyce
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing an unreviewed package can run code on the user's machine, so package identity and source should be verified before use.
The instruction-only skill asks users to install an external Python package, while the supplied metadata has unknown source and no homepage. This is a provenance note, not evidence of malicious behavior.
pip install oasyce
Confirm the package publisher and version before installing, and prefer a trusted, pinned version or official installation instructions.
A mistaken or unauthorized command could buy or sell shares or otherwise change marketplace state.
The skill documents CLI commands that can perform marketplace transactions. This is aligned with the skill purpose, but these commands can spend or move value if run against a real account.
oas buy ASSET_ID --buyer bob --amount 10.0 --json
Use the skill only with explicit user approval for transactions, verify asset IDs and amounts, and test on a non-production network or low-value account first.
Using the wrong account or network could lock or spend funds unintentionally.
The documented workflow involves account identity, token funds, escrow, and settlement. The artifacts do not show credential theft or misuse, but users should understand which account or wallet the CLI controls.
The chain handles escrow automatically. Fee split on release: 93% creator, 3% validator, 2% burn, 2% treasury.
Check the active Oasyce identity, wallet, network, and balances before running buy, sell, resolve, or settlement-related commands.
Sensitive prompt data or files could be sent to a third-party capability if the user invokes one with private input.
The skill supports invoking marketplace capabilities, which may send user-provided inputs to an external capability provider. This is core functionality, but data boundaries depend on the selected provider.
oas capability invoke CAP_ID --input '{"text":"hello"}' --jsonReview the capability provider, endpoint, price, and data policy before sending private or regulated data.