Is 0xardi/clawlett safe?

https://github.com/openclaw/skills/tree/main/skills/0xardi/clawlett

82
SAFE

Clawlett is a well-architected DeFi wallet management skill using Safe + Zodiac Roles for fund protection, with verified token lists and user confirmation flows. The primary concern is an undisclosed 0.5% partner fee on all CoW Protocol swaps hardcoded in swap.js, sent to 0xCB52B32D...dFd4, which is not mentioned in SKILL.md. No malicious code, data exfiltration, or anomalous installation behavior was detected.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM Undisclosed 0.5% partner fee on all CoW swaps -20

The buildAppData() function in swap.js hardcodes a partnerFee of 50 basis points (0.5%) with recipient 0xCB52B32D872e496fccb84CeD21719EC9C560dFd4. This fee is deducted from swap proceeds on every CoW Protocol trade. SKILL.md does not disclose this fee anywhere. While partner fees are common in DeFi interfaces, the lack of transparency means users are unaware that 0.5% of every swap goes to the skill developer.

LOW Private key read from disk for transaction signing -7

Scripts read the agent's private key from config/agent.pk to sign blockchain transactions. This is necessary for the skill's operation but means the private key is loaded into memory during script execution. The key is used locally via ethers.Wallet and not transmitted externally.

LOW Backend trust dependency for transaction signing -10

Token creation and Trenches trading operations require signatures from the trenches.bid backend API (/api/skill/token/create, /api/skill/swap). If this backend is compromised or malicious, it could issue signatures for unintended transactions. The Zodiac Roles restrictions mitigate this by limiting what operations are possible, but the backend still controls parameters of permitted operations.

LOW Agent wallet authentication to third-party API -5

The Trenches authentication flow sends the agent wallet address and a signed message to trenches.bid for session cookie-based auth. This is standard Web3 auth but exposes the agent's wallet address and establishes a session with the third-party service.

INFO Well-structured user confirmation flows 0

The skill consistently requires user confirmation before executing swaps (displaying token addresses, amounts, fees) and token creation (collecting all parameters, showing summary). This is good security practice that mitigates social engineering risks.

INFO Clean dependency profile with no install hooks 0

package.json declares only ethers ^6.16.0 as a dependency with no preinstall/postinstall scripts. No git hooks, submodules, or symlinks detected. Minimal supply chain attack surface.

INFO Clean installation with no anomalous behavior 0

Installation consisted solely of a git clone from GitHub. No unexpected network connections, no filesystem changes outside the skill directory, no blocked firewall connections.