Aave V3 lending protocol on Base Sepolia testnet. Deposit WETH collateral, borrow USDC, repay loans, withdraw collateral, check health factor, and mint test tokens via faucet. Use when users want to interact with Aave lending, check their lending position health, or get testnet tokens.
Security Analysis
medium confidenceThe skill's code largely matches its Aave/testnet purpose, but the package metadata and registry entry omit that it requires a private key/config file and will run npm install + node scripts — this mismatch and the unknown source warrant caution.
The skill's code and SKILL.md implement Aave V3 actions on Base Sepolia (deposit, borrow, repay, withdraw, health, faucet) which is coherent with the stated purpose. However the registry metadata declares no required env variables or config paths, while the implementation requires a private key (X402_PRIVATE_KEY or ~/.x402-config.json). That mismatch is unexpected and should have been declared.
Runtime instructions (SKILL.md) and the scripts limit actions to interacting with the Sepolia Base RPC and Aave contract addresses, reading a private key from an env var or the x402-config.json file, and printing account/tx info. The instructions do not attempt to read unrelated system files or contact unexpected external endpoints.
There is no platform install spec, but setup.sh runs npm install (registry.npmjs.org) to install ethers and its deps. Using npm is expected for a JS blockchain tool, but it still pulls third-party packages (ethers and deps) onto disk — audit or run in a restricted environment if you don't trust the source.
The runtime requires access to a private key (via X402_PRIVATE_KEY env var or ~/.x402-config.json) to sign transactions — this is necessary for on-chain actions, but the registry did not declare any required credentials or config paths. Requiring a high-sensitivity secret without declaring it is a proportionality/visibility issue and increases risk if users are unaware.
The skill does not request permanent 'always' inclusion, does not modify other skills, and only persists by installing npm packages in its own directory. Autonomous invocation is allowed (platform default) but not itself unusual here.
Guidance
This skill's code appears to do what it says (interact with Aave on Base Sepolia), but there are a few things to consider before installing: - The registry metadata omitted that you must supply a private key. The code will look for X402_PRIVATE_KEY or a file (~/.x402-config.json or ./x402-config.json). Do not put a mainnet/private production key there—use an ephemeral/testnet key with minimal funds. - setup.sh runs npm install and then the node scripts execute. That will pull third-party packages (ethers, etc.) onto disk; review package-lock.json or run in an isolated environment if you don't trust the author. - Verify the contract addresses (pool, faucet, tokens) and RPC URL in scripts/lib/config.js before sending transactions — malicious or incorrect addresses could steal funds on any network where the key has value. - Because the source is unknown (no homepage/author listed), treat this as untrusted: run locally in a sandbox or code-review the files, and prefer using a throwaway testnet key or a hardware wallet/proxy signer if possible. If you want to proceed safely: inspect scripts/lib/config.js and scripts/lib/aave.js yourself, ensure the faucet/pool addresses are legitimate for Base Sepolia, create a test-only private key, and run npm install in an environment where package installation and node execution are permitted and monitored.
Latest Release
v1.0.0
Initial release: Aave V3 lending on Base Sepolia — deposit, borrow, repay, withdraw, health check, and faucet
Popular Skills
Published by @chainyoda on ClawHub
