Is chainyoda/aaveclaw safe?

https://github.com/openclaw/skills/tree/main/skills/chainyoda/aaveclaw

85
SAFE

aaveclaw is a legitimate Aave V3 DeFi lending skill for Base Sepolia testnet. The code is clean, well-structured, and free of malicious patterns. The primary security consideration is that it reads a cryptocurrency private key from ~/.x402-config.json — inherently sensitive but necessary for its stated purpose. No prompt injection, canary access, suspicious network activity, or malicious code execution was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Reads cryptocurrency private key from home directory -20

config.js reads a private key from ~/.x402-config.json, X402_PRIVATE_KEY env var, or CWD/x402-config.json. While this is the skill's stated purpose for signing blockchain transactions, the private key is the most sensitive credential a crypto user possesses. If this key controls mainnet funds (not just testnet), compromise could result in total loss of funds.

LOW npm install executes downloaded code -10

setup.sh runs 'npm install --omit=dev' which downloads the ethers package and its dependencies from the npm registry. While ethers is a well-known legitimate package and the lockfile pins specific versions, npm install inherently runs arbitrary code during package resolution.

LOW Transactions sent to external RPC endpoint -5

All blockchain interactions are sent to https://sepolia.base.org, a public Base Sepolia testnet RPC. Signed transaction data leaves the local system. The RPC URL is hardcoded in config.js, which is good (not user-configurable to a malicious endpoint), but a supply chain attack on the skill repo could change it.

LOW Unlimited token approval pattern -5

The ensureAllowance function in aave.js approves MaxUint256 spending for the Aave pool contract. This is a common DeFi pattern but grants unlimited token spending permission to the pool contract address. On testnet this is inconsequential, but the pattern could be dangerous if reused on mainnet.

INFO Behavioral guidelines in SKILL.md are reasonable -5

SKILL.md instructs the agent to always check health factor first and ask users for amounts before transactions. These are safety-oriented guidelines appropriate for a financial tool, not prompt injection.

INFO Cross-skill combination risk with private key access -5

If another installed skill has filesystem read access, it could read ~/.x402-config.json to steal the private key. If it has write access, it could modify config.js to redirect transactions to a malicious RPC or contract. This is a general platform risk, not specific to this skill.