Gotchi DAO Voting
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Snapshot voting purpose, but it can use Bankr signing authority with a bundled hard-coded wallet address, so users should review it carefully before voting.
Before installing or invoking this skill, edit config.json to your own Bankr/Snapshot wallet, confirm the Bankr API key is intended for voting, run --dry-run, and review the proposal ID and choice before allowing any signed submission.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user does not replace this value, the agent may check voting power and build signed vote data for the wrong wallet, causing rejected or misdirected governance voting.
The bundled default config contains a concrete wallet address rather than a placeholder; the voting scripts use config.wallet as the Snapshot voting address.
"wallet": "0xb96B48a6B190A9d509cE9312654F34E9770F2110"
Ship a placeholder config or require the user to set and confirm their own wallet before signing; ideally validate that the Bankr signer address matches the configured wallet.
The skill may obtain existing Bankr signing authority even if the user did not provide a key specifically for this voting workflow.
If BANKR_API_KEY is not set directly, the script can reuse a Bankr API key from another local skill configuration.
if [ -z "$key" ] && [ -f "$HOME/.openclaw/skills/bankr/config.json" ]; then
key="$(jq -r '.apiKey // empty' "$HOME/.openclaw/skills/bankr/config.json"Use a dedicated or scoped Bankr key, document all credential fallback paths clearly, and require explicit user confirmation before any signing request.
Running the submit command can cast a public DAO vote using the configured wallet and Bankr credentials.
The submit path requests a Bankr signature and then posts the signed vote to the Snapshot sequencer.
SIGN_RESPONSE="$(curl -sS -X POST "https://api.bankr.bot/agent/sign" ... )" ... VOTE_RESPONSE="$(curl -sS -X POST "$SEQUENCER"
Run --dry-run first, verify proposal ID, choice, wallet, and voting power, and only submit after explicit user approval.