Gotchi Finder
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a read-only Aavegotchi lookup and image-generation tool, with some normal local execution and dependency-install considerations users should notice.
This skill looks safe for its stated read-only purpose, but install it only if you are comfortable running its Node/shell scripts, fetching public blockchain/API data, installing npm dependencies, and storing generated gotchi files locally.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the skill can create local output files and send the resulting gotchi image and caption in the conversation.
The skill directs the agent to run a local shell script and then send generated media/caption output. This is aligned with the stated display purpose, but it is still command execution and message-tool use that users should understand.
cd ~/.openclaw/workspace/skills/gotchi-finder bash scripts/show-gotchi.sh 8746 ... message(action: "send", media: PNG_PATH, caption: CAPTION)
Use it for intended gotchi lookups, and review generated files/captions if the output will be posted somewhere public.
Installing dependencies may fetch updated third-party package versions from npm.
The skill depends on public npm packages with semver ranges rather than exact pinned versions. This is normal for many Node skills, but it means future installs may resolve to newer package versions.
"dependencies": {
"ethers": "^6.11.1",
"sharp": "^0.33.0"
}Install from a trusted environment and consider pinning dependencies or using a lockfile if reproducible installs are important.
Users may overtrust the skill because of strong safety wording, even though it still runs code, uses network services, installs dependencies, and writes files.
The documentation uses absolute safety and approval language. The code appears read-only, but users should not rely on self-stated zero-risk or approval claims as a substitute for review.
**This skill is 100% SAFE - Read-only!** ... **ClawHub Status:** Approved ... **Risk Level:** NONE
Treat the read-only design as reassuring, but make installation decisions based on the actual code, dependencies, and permissions rather than the self-rating.