Swaps Intel
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Swaps API key may be used by the agent to make risk-check requests on your behalf.
The skill requires a service API key and sends it to the Swaps API. This is expected for the stated integration, but users should understand they are granting the agent access to that API credential.
Once you have your key, set it as the `SWAPS_INTEL_API_KEY` environment variable, or pass it directly in the `x-api-key` header.
Use a dedicated Swaps API key if possible, keep it private, and revoke or rotate it if you no longer use the skill.
Addresses or transactions you check may be associated with hashed telemetry and usage metadata by the Swaps service.
The artifacts disclose provider-side telemetry for requests. This is purpose-aligned for rate limiting and abuse controls, but it means queried address-related data and request metadata may be processed or logged by the provider.
`api_key_id` (nullable), `anon_fingerprint` (hashed), `address_hash` (hashed), `risk_bucket` (low/medium/high/critical), `latency_ms`, `status_code`, `timestamp`
Avoid checking wallet addresses or transactions you are not comfortable sending to this provider, and review the provider’s terms and privacy practices for your use case.
Provider-generated text or links may be displayed in the final answer if the agent uses the API response directly.
The API can return preformatted Markdown meant for agent output. That is useful for this skill, but returned Markdown should be treated as data rather than as instructions that can change the agent’s task.
"markdown_summary": { "type": "string", "description": "Pre-formatted Markdown response intended for direct use by the agent." }Agents should preserve factual risk data while ignoring any instruction-like language that might appear inside returned API content.
Some bundled documentation may be stale or not synchronized with the published package state.
An included launch/governance document appears inconsistent with the registry’s published package status. This does not show malicious behavior, but it is a provenance and packaging-quality ambiguity users may want to notice.
Status: **READY / NOT PUBLISHED** Owner: G approval required before `clawhub publish`
Before relying on the skill for sensitive compliance or fraud workflows, confirm the current provider documentation, version, and abuse-control status.