Gotchi Equip
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent and does what it says, but it can submit Bankr transactions that change Aavegotchi wearable state and uses a Bankr API key.
Before installing, make sure you are comfortable giving this skill access to a Bankr API key and using it to submit Aavegotchi wearable transactions. Review gotchi IDs and wearable slot values carefully, especially before using unequip-all.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the equip command can submit a real Base transaction that changes the wearable loadout for the selected gotchi.
The equip flow submits a prepared transaction to Bankr, which is expected for this skill but can change on-chain Aavegotchi wearable state once run.
echo "Submitting transaction via Bankr..." RESPONSE="$(curl -sS -X POST "https://api.bankr.bot/agent/submit" ... -d @"$TEMP_TX")"
Only run equip commands with gotchi IDs and slot values you intend to change, and rely on Bankr/account-side limits or confirmations where available.
Running the unequip-all command can remove all equipped wearables from the selected gotchi, potentially requiring another transaction to restore the loadout.
The unequip-all script is clearly named and documented, but it submits a transaction that sets all wearable slots to zero.
echo "Action: Unequip all wearables" ... RESPONSE="$(curl -sS -X POST "https://api.bankr.bot/agent/submit" ... -d @"$TEMP_TX")"
Use the unequip-all script only when you explicitly want a full unequip, and review the gotchi ID before running it.
The skill can use your Bankr account authority to submit the scoped Aavegotchi transaction payloads it builds.
The skill retrieves a Bankr API key from documented environment and OpenClaw Bankr config locations so it can submit transactions.
key="${BANKR_API_KEY:-}" ... systemctl --user show-environment ... "$HOME/.openclaw/skills/bankr/config.json" ... "$HOME/.openclaw/workspace/skills/bankr/config.json"Use a Bankr key with appropriate limits if possible, and keep the key in trusted locations only.
Installing dependencies adds normal npm supply-chain exposure, although the dependency set is small and lockfile-backed.
The skill requires installing npm dependencies before use; this is expected because the code uses viem to encode transaction calldata, and a package-lock file is included.
npm install
Install from a trusted copy of the skill and keep the included package-lock.json when installing dependencies.