Termix Agent Skills
WarnAudited by ClawScan on May 12, 2026.
Overview
This skill mostly matches its TermiX blockchain helper purpose, but it publishes a bearer API token and asks users to run wallet-transaction scripts, so it needs review before use.
Do not rely on the embedded bearer token; it should be removed or rotated by the publisher. If you use the skill, use a dedicated low-value testnet wallet, review every generated script and transaction amount, verify contract addresses from the live config, and avoid installing optional packages or sharing exchange/API credentials unless you fully trust the TermiX workflow.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A shared API token could be abused to call protected TermiX endpoints or alter metadata without a user's separate authorization.
A bearer credential is published directly in the skill documentation. Even though the docs say it is only for a metadata staging endpoint, anyone installing or viewing the skill can reuse it.
| API Key (Bearer) | `HrnsTtFiEchdgq7J76Pmxv9rE8jKy0Nen` |
The publisher should revoke and rotate this token, remove it from the skill, and require users to provide their own scoped token through an environment variable if authentication is needed.
If run with incorrect parameters, the scripts could approve token spending, lock funds, or create/fund the wrong job on-chain.
The workflow generates scripts that use the user's wallet key to broadcast approval and funding transactions. This is aligned with creating and funding AACP jobs, but it is high-impact authority.
const account = privateKeyToAccount(process.env.WALLET_KEY as `0x${string}`); ... walletClient.writeContract({ ... functionName: "approve" ... }); ... functionName: "setBudget"Use a dedicated test wallet, verify contract addresses from the live config, confirm amounts and job IDs, and only run transaction scripts after explicit user approval.
A compromised environment or careless script edit could expose or misuse the user's wallet key.
The skill requires a wallet private key for some workflows. The docs describe it as local and user-authorized, which is purpose-aligned, but private-key handling is inherently sensitive.
WALLET_KEY ... Wallet private key used locally only for user-authorized BSC Testnet signing or transactions.
Use a low-value dedicated BSC Testnet wallet, avoid pasting keys into chat, store keys only in the local environment, and inspect scripts before execution.
Installing extra packages can introduce supply-chain risk if done in an untrusted project or without version pinning.
The docs include an optional package installation that is not represented by an install spec or lockfile in the provided artifacts.
Run with Node.js (requires `eventsource` package):
```bash
npm install eventsource
node -e "require('eventsource'); /* paste snippet above */"
```Only install optional packages in a disposable or trusted project, pin package versions when possible, and avoid running copied snippets until reviewed.