Neo Market
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks purpose-aligned for a crypto marketplace, but it uses a raw wallet private key and can submit token approvals and on-chain transactions without clearly declared credential requirements or approval limits.
Review before installing. If you use it, create a dedicated low-balance wallet, keep main wallets and valuable funds separate, verify the npm package and contract addresses, and require manual review of every transaction amount, network, and approval before signing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent has access to this key, it can sign blockchain transactions from that wallet, spending gas and potentially affecting token balances or approvals.
The CLI accepts a raw EVM private key from the command line or environment and turns it into a signing wallet. This is high-impact account authority, and the registry metadata declares no primary credential or required environment variables.
.option("--key <private_key>", "Override Private Key"); ... const key = options.key || process.env.PRIVATE_KEY; if (key) return new ethers.Wallet(key, provider);Use only a dedicated low-balance wallet, preferably testnet-only unless you intend mainnet use. Avoid passing private keys on the command line, and the skill should declare the wallet credential requirement clearly.
A mistaken or autonomous invocation could publish jobs, approve USDC, place bids, select bids, or submit deliveries using the configured wallet.
The CLI can approve token spending and submit marketplace transactions directly. These actions fit the marketplace purpose, but the artifacts do not show confirmation prompts, spending caps, or other guardrails before high-impact financial mutations.
const txApprove = await token.approve(ADDRS.Marketplace, budgetWei); await txApprove.wait(); ... const tx = await market.publishJob(cid, 0, budgetWei, ADDRS.usdc, deadline); ... const tx = await market.placeBid(options.job, options.cid, price, options.eta);
Require explicit user approval for every transaction, display the network, contract address, function, and amount before signing, and set clear budget/spend limits.
Installing a different or compromised npm package version could expose the same wallet authority used by the skill.
The documented setup installs a global npm executable without a pinned version. This is common for CLI tools, but it matters more here because the executable handles wallet private keys and blockchain transactions.
npm install -g @wangwuww/neo-market-cli
Verify the npm package and repository, pin a specific trusted version, and install in an isolated environment before providing any wallet key.