Is kj-script/impossible-finance-skill safe?

https://github.com/openclaw/skills/tree/main/skills/kj-script/impossible-finance-skill

84
SAFE

This skill appears to be a legitimate DeFi trading tool for Binance Smart Chain with comprehensive documentation and no evidence of malicious behavior. However, it handles cryptocurrency private keys and interacts with financial systems, presenting inherent security and financial risks.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

MEDIUM Private Key Storage -25

The skill creates and stores cryptocurrency private keys locally in ~/.config/impossible_agent/wallet.json. While documented and apparently legitimate for DeFi functionality, this presents inherent security risks if the file is compromised.

LOW Financial Risk Exposure -15

The skill interacts with DeFi protocols and handles cryptocurrency transactions, which carries inherent financial risks including potential loss of funds through smart contract vulnerabilities or user error.

LOW Network Connections to Blockchain -10

The skill makes network connections to BSC RPC endpoints and DeFi protocols. While necessary for functionality, this creates potential data transmission channels.

INFO Complex DeFi Functionality -10

The skill implements complex DeFi operations including wallet generation, token swaps, and smart contract interactions which could potentially be misused if modified or combined with other skills.