Arsenal — Sumplus DeFi Execution Layer
v1.0.0Execute DeFi skills on Ethereum, Sui, Solana, and 10+ chains via Arsenal. Use for swaps, lending, liquidity, portfolio queries, and any blockchain operation.
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (DeFi execution across many chains) matches the declared requirements and instructions. The only required credential is ARSENAL_API_KEY, which is the expected primary credential for an external execution API. No unrelated binaries, config paths, or extra cloud credentials are requested.
Instruction Scope
SKILL.md instructs the agent to always search Arsenal for the appropriate skill and to call /api/execute to get quotes or build transactions. It also instructs that EVM transactions should be "executed in order" and Sui/Solana tx_bytes/transactions should be passed to wallets or Privy. This is coherent for an execution layer, but the instructions assume an ability to (a) deliver txs to a signing/sending mechanism and (b) manage multi-step flows; the SKILL.md does not explicitly restrict or clarify whether the agent should ever ask for private keys, seed phrases, or the user's wallet credentials (it does explicitly say to inject ARSENAL_API_KEY from env and never ask the user for it). Because the skill can result in on-chain actions that move funds, confirmatory UX and explicit safe signing practices are important but not spelled out.
Install Mechanism
This is instruction-only with no install steps or code files, so nothing is downloaded or written to disk. That minimizes install-time risk.
Credentials
Only one env var (ARSENAL_API_KEY) is required, which is proportionate for an external API. The SKILL.md references a sign-up flow (email/password → obtain api_key) but does not require additional unrelated credentials or config paths.
Persistence & Privilege
always:false and no install means the skill does not demand permanent inclusion or elevated platform privileges. It does not request changing other skills or system-wide settings.
Assessment
This skill appears to be what it says: a wrapper around Arsenal's HTTP API that needs an ARSENAL_API_KEY. Before installing or using it, consider the following: (1) An API key given to this skill can be used to build and (depending on your setup) execute on-chain transactions — only provide a key you control and trust, ideally with limited scope if Arsenal supports that. (2) Never share private keys, seed phrases, or wallet passwords with the agent; prefer to sign transactions in your own wallet or through a trusted signing service. (3) If the skill asks you to supply email/password to perform sign-up flows, prefer to create the API key yourself via the Arsenal website and then set ARSENAL_API_KEY in the agent's environment rather than disclosing your credentials. (4) Test with small amounts or read-only queries first (get_quote, get_markets) to confirm behavior. (5) If you need higher assurance, ask the publisher for docs, an audit, or source code; the skill's source is unknown. Finally, verify the domain (https://arsenal.sumplus.xyz) and consider rotating keys after initial use.Like a lobster shell, security has layers — review code before you run it.
blockchainvk976b7t469z4g1atpde1s4gwrs83qcbwdefivk976b7t469z4g1atpde1s4gwrs83qcbwevmvk976b7t469z4g1atpde1s4gwrs83qcbwlatestvk976b7t469z4g1atpde1s4gwrs83qcbwsolanavk976b7t469z4g1atpde1s4gwrs83qcbwsuivk976b7t469z4g1atpde1s4gwrs83qcbwweb3vk976b7t469z4g1atpde1s4gwrs83qcbw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚔️ Clawdis
EnvARSENAL_API_KEY
Primary envARSENAL_API_KEY