Gotchi Channeling
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Aavegotchi channeling purpose, but it can use your Bankr wallet key for automated on-chain transactions and overstates some safety checks.
Review this before installing. Replace the included config with your own parcel and gotchi IDs, verify ownership/access manually, and do not enable cron or agent-driven use until you are comfortable with the Bankr wallet transactions it will submit.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked by the user, an agent, or a schedule, the skill can submit wallet transactions that may consume gas, put gotchis on cooldown, or affect game rewards.
This sends a Bankr-authenticated wallet transaction to an external API. That is purpose-aligned, but it is a high-impact on-chain action and the script proceeds after a cooldown check without an explicit user confirmation or ownership preflight.
RESPONSE="$(curl -sS -X POST "https://api.bankr.bot/agent/submit" ... -H "X-API-Key: $API_KEY" ... -d "$REQUEST_PAYLOAD")"
Require explicit user confirmation before Bankr submission, verify parcel ownership/access before submitting, and clearly show the exact parcel, gotchi, contract, chain, and calldata before sending.
Running the batch command before replacing the config could attempt transactions for someone else's configured assets, leading to failed transactions, gas costs, or unintended channeling behavior.
The shipped default config contains specific live-looking parcel/gotchi IDs rather than placeholders. Since channel-all uses config.json, a default run can target entries that may not belong to the installing user.
"channeling": [ { "parcelId": "867", "gotchiId": "9638", "description": "entry-instead-social + aaigotchi (primary)" }, ... ]Ship only a config.json.example with placeholders, require users to create their own config, and fail closed until ownership/access checks pass.
Users may trust the automation more than they should and skip manual verification before allowing wallet transactions.
These safety claims are stronger than the included scripts support: the scripts show cooldown checking and Bankr submission, but no implemented ownerOf/access preflight or local transaction simulation step.
The skill checks: 1. Parcel ownership - Verifies you own the parcel ... 3. Transaction simulation - Bankr validates before sending
Either implement the claimed checks in code or revise the documentation to state that ownership/access is enforced by the contract or Bankr only after submission.
Installing or invoking the skill may allow it to use an existing Bankr credential without the user typing it again.
The script searches for a Bankr API key in the environment, user systemd environment, and existing Bankr skill config files. This is disclosed and purpose-aligned, but it uses a credential with wallet transaction authority.
systemctl --user show-environment ... ~/.openclaw/skills/bankr/config.json ... ~/.openclaw/workspace/skills/bankr/config.json
Use a dedicated, least-privilege Bankr key if available, keep the key out of shared configs, and review each transaction before enabling automation.
If the user adds the cron job, the skill may continue trying wallet transactions daily until the schedule is removed.
The documentation provides a cron example for recurring daily operation. This is user-directed and not self-installed, but it can keep submitting channeling attempts over time.
0 9 * * * cd ~/.openclaw/workspace/skills/gotchi-channeling && ./scripts/channel-all.sh >> /tmp/channeling.log 2>&1
Only enable cron after confirming the config, ownership, and Bankr permissions; monitor logs and disable the schedule if the setup changes.