Flashloan
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a simple local note-taking script mislabeled as a flashloan analysis/security skill; it stores data locally and shows no credential or network exfiltration.
Use this only if you want a simple local entry log, not actual flashloan or protocol-security analysis. Avoid entering secrets, and review or delete the ~/.flashloan data directory if you do not want the stored entries to persist.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe the skill provides blockchain or protocol-security analysis when it only manages local text entries.
The skill advertises flashloan/security analysis, but its documented commands are generic local entry management. This mismatch could cause a user to trust it for protocol analysis it does not actually perform.
description: "Analyze flashloan operations... evaluate protocol security..." - **add**: Add new entry - **list**: List all entries - **search**: Search entries - **remove**: Remove entry by number - **export**: Export data to file
Treat this as a local note/log utility unless the publisher adds real flashloan analysis functionality and updates the documentation to accurately describe behavior.
Running the skill can execute local shell commands that create, modify, remove, and export the skill's own data files.
The skill instructs use of a bundled shell script. The script is visible and local, and no hidden downloads or automatic execution are shown, but users should notice that installing the skill enables local command execution when invoked.
```bash scripts/script.sh status ``` ... ```bash scripts/script.sh add ```
Review the included script before running it and only invoke commands you intend to use.
Anything entered into the skill remains on disk until removed and may be surfaced or exported later.
User-provided entries are persisted in a local JSONL file under ~/.flashloan by default and can later be listed, searched, or exported.
DATA_DIR="${FLASHLOAN_DIR:-$HOME/.flashloan}"
...
printf '{"ts":"%s","cmd":"%s","val":"%s"}\n' "$ts" "$cmd" "$val" >> "$DATA_DIR/data.jsonl"Do not store secrets or sensitive private analysis in this skill unless you are comfortable with local plaintext storage; use the remove command or delete ~/.flashloan if needed.