ClawAudit verdict
project0
project-0
Reads local files AND makes external network calls
The skill requires WALLET_KEYPAIR in the environment to sign on-chain DeFi transactions (deposits, borrows, leveraged yield strategies) on Solana with real funds; the skill itself warns about private key exposure risk, confirming the financial risk is real and significant.
Automated static analysis โ not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence โ it does not verify that one flows into another. Read the code to confirm a live chain.
Reads local files AND makes external network calls โ the capabilities for data exfiltration co-occur (data-flow not verified)
LLM02 ยท LLM06 ยท ASI03
Reads files, encodes data, AND makes external network calls โ the obfuscated-exfiltration pattern (data-flow not verified)
LLM02 ยท ASI03
Accesses credentials AND makes external network calls โ potential credential theft
LLM02 ยท ASI03
Accesses credentials AND encodes data โ may obfuscate stolen credentials
LLM02 ยท ASI03 ยท ASI04
Permission integrity
network_out
file_read
package_install
Findings (4)
fetch() โ outbound network request
SKILL.md ยท code
File read operation
SKILL.md ยท code
Data encoding/decoding
SKILL.md ยท code
Makes HTTP request to external URL
SKILL.md ยท code ยท fetch("https://
Permissions & capabilities
Requires 5 environment variables. (1 sensitive: JUPITER_API_KEY).
network_outfile_readpackage_installcredential_accessdata_encoding Thanks โ recorded.