Arcadia Finance
ReviewAudited by ClawScan on May 4, 2026.
Overview
This skill matches its stated Arcadia DeFi purpose, but it can prepare wallet transactions involving real funds, so users should review every transaction before signing.
This appears purpose-aligned and not malicious from the provided artifacts. Treat it like any DeFi tool: verify the publisher, use the official endpoint, never share seed phrases or private keys, and carefully inspect every wallet prompt before signing, especially approvals, leverage, account-closing, or automation transactions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could be asked to sign a transaction that moves funds, changes DeFi positions, or enables automation.
The skill can prepare transactions for deposits, redemptions, liquidity changes, account closing, approvals, and automation. The unsigned-transaction design is a meaningful safety boundary, but the resulting transactions can still affect real assets if signed.
All write tools return unsigned transactions `{ to, data, value, chainId }`. Sign with your wallet before broadcasting.Before signing, independently verify the chain, contract address, recipient, token, amount, approval scope, calldata meaning, and expected outcome. Do not enable auto-signing.
If a wallet approval is misunderstood or signed too broadly, funds or permissions could be put at risk.
Wallet signing is expected for a DeFi skill and the artifact warns against exposing private keys, but signing authority is still high-impact account control.
You need a separate wallet to sign and broadcast. Never expose private keys to the agent.
Use a wallet that requires explicit human confirmation, prefer limited approvals, consider hardware or multisig wallets for large amounts, and never paste private keys or seed phrases into the agent.
Arcadia's server, or any endpoint set through ARCADIA_MCP_URL, can see the wallet addresses and transaction parameters used with the skill.
The wrapper calls a remote MCP endpoint to list and call tools. The SKILL.md discloses that public wallet/account addresses and transaction parameters are sent to this server.
MCP_URL="${ARCADIA_MCP_URL:-https://mcp.arcadia.finance/mcp}"Use only the official endpoint unless you intentionally trust an alternate server, and do not send secrets or private keys as tool arguments.
A user cannot confirm from the supplied metadata alone that this package was published by Arcadia or an authorized maintainer.
The artifact set does not establish source provenance for the registry package. This is not evidence of malicious behavior, but provenance is important for a financial skill.
Source: unknown
Verify the skill through Arcadia's official website, documentation, or trusted registry ownership before using it with meaningful funds.