ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

aaveclaw

Aave V3 lending protocol on Base Sepolia testnet. Deposit WETH collateral, borrow USDC, repay loans, withdraw collateral, check health factor, and mint test tokens via faucet. Use when users want to interact with Aave lending, check their lending position health, or get testnet tokens.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
4 · 1.6k · 4 current installs · 5 all-time installs
by@chainyoda
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and SKILL.md implement Aave V3 actions on Base Sepolia (deposit, borrow, repay, withdraw, health, faucet) which is coherent with the stated purpose. However the registry metadata declares no required env variables or config paths, while the implementation requires a private key (X402_PRIVATE_KEY or ~/.x402-config.json). That mismatch is unexpected and should have been declared.
Instruction Scope
Runtime instructions (SKILL.md) and the scripts limit actions to interacting with the Sepolia Base RPC and Aave contract addresses, reading a private key from an env var or the x402-config.json file, and printing account/tx info. The instructions do not attempt to read unrelated system files or contact unexpected external endpoints.
Install Mechanism
There is no platform install spec, but setup.sh runs npm install (registry.npmjs.org) to install ethers and its deps. Using npm is expected for a JS blockchain tool, but it still pulls third-party packages (ethers and deps) onto disk — audit or run in a restricted environment if you don't trust the source.
!
Credentials
The runtime requires access to a private key (via X402_PRIVATE_KEY env var or ~/.x402-config.json) to sign transactions — this is necessary for on-chain actions, but the registry did not declare any required credentials or config paths. Requiring a high-sensitivity secret without declaring it is a proportionality/visibility issue and increases risk if users are unaware.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not modify other skills, and only persists by installing npm packages in its own directory. Autonomous invocation is allowed (platform default) but not itself unusual here.
What to consider before installing
This skill's code appears to do what it says (interact with Aave on Base Sepolia), but there are a few things to consider before installing: - The registry metadata omitted that you must supply a private key. The code will look for X402_PRIVATE_KEY or a file (~/.x402-config.json or ./x402-config.json). Do not put a mainnet/private production key there—use an ephemeral/testnet key with minimal funds. - setup.sh runs npm install and then the node scripts execute. That will pull third-party packages (ethers, etc.) onto disk; review package-lock.json or run in an isolated environment if you don't trust the author. - Verify the contract addresses (pool, faucet, tokens) and RPC URL in scripts/lib/config.js before sending transactions — malicious or incorrect addresses could steal funds on any network where the key has value. - Because the source is unknown (no homepage/author listed), treat this as untrusted: run locally in a sandbox or code-review the files, and prefer using a throwaway testnet key or a hardware wallet/proxy signer if possible. If you want to proceed safely: inspect scripts/lib/config.js and scripts/lib/aave.js yourself, ensure the faucet/pool addresses are legitimate for Base Sepolia, create a test-only private key, and run npm install in an environment where package installation and node execution are permitted and monitored.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975awtc6bhqsvcs8my406kpnx80gtxq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

aaveclaw - Aave V3 Lending on Base Sepolia

Interact with Aave V3 lending protocol on Base Sepolia testnet. Manages the full lending lifecycle using the wallet from ~/.x402-config.json.

Setup

Run setup.sh on first use to install dependencies (ethers v6):

bash scripts/setup.sh

Commands

Check Health Factor

Check the current lending position. Safe to run anytime, read-only.

bash scripts/health.sh [address]

If no address is provided, uses the configured wallet address.

Mint Test Tokens (Faucet)

Get testnet WETH or USDC from the Aave faucet. Run this first if the wallet has no tokens.

bash scripts/faucet.sh weth 1       # Mint 1 WETH
bash scripts/faucet.sh usdc 1000    # Mint 1000 USDC

Deposit Collateral

Deposit WETH as collateral into Aave. Auto-wraps native ETH to WETH if needed.

bash scripts/deposit.sh 0.5         # Deposit 0.5 WETH

Borrow USDC

Borrow USDC against deposited collateral. Uses variable interest rate.

bash scripts/borrow.sh 100          # Borrow 100 USDC

Repay Debt

Repay borrowed USDC. Use "max" to repay entire debt.

bash scripts/repay.sh 50            # Repay 50 USDC
bash scripts/repay.sh max           # Repay all debt

Withdraw Collateral

Withdraw WETH collateral. Use "max" to withdraw everything (only if no debt).

bash scripts/withdraw.sh 0.5        # Withdraw 0.5 WETH
bash scripts/withdraw.sh max        # Withdraw all

Usage Guidelines

  • Always run health.sh first to see the current position before making changes.
  • Ask the user for amounts before executing deposit, borrow, repay, or withdraw.
  • Always show the health factor after any state-changing operation (the scripts do this automatically).
  • Warn when health factor drops below 1.5 - the position is at risk of liquidation.
  • Guide new users to the faucet to get test tokens before depositing.
  • Typical flow: faucet (get tokens) -> deposit (add collateral) -> borrow (take loan) -> repay (pay back) -> withdraw (retrieve collateral).

Network Details

Error Handling

  • If private key is missing: direct user to create ~/.x402-config.json with {"private_key": "0x..."}
  • If insufficient balance: the scripts report exact balances and what is needed
  • If health factor would drop too low after borrow: Aave reverts the transaction automatically
  • If faucet fails: the faucet contract may have minting limits or may not be available

Files

19 total
Select a file
Select a file to preview.

Comments

Loading comments…