Pet Me Master - Autonomous Aavegotchi Petting
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is clearly meant to pet Aavegotchis, but it can keep running and use your Bankr access to submit automatic batch transactions, including when a user may have asked for only one gotchi.
Install only if you want unattended Aavegotchi petting through Bankr. Before enabling live mode, run dry-runs, verify the contract selector and target contract, decide whether fallback automation is acceptable, use a revokable Bankr key, and check for any cron/at/background jobs if you later disable the skill.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A request like “pet gotchi #9638” may pet every ready discovered gotchi instead of only that one.
Any natural-language pet request is forced to the batch pet script, even if the user includes a specific gotchi ID. This conflicts with other docs that mention specific-gotchi petting.
# Enforced behavior: any pet action is batch-only (pet-all.sh). ... if "pet" in lowered: return "pet-all.sh", []
Honor specific gotchi IDs, require explicit confirmation for batch mode, and update all docs so they describe the same behavior.
If enabled, the skill can spend the delegated Bankr authority to perform on-chain petting automatically after the grace period.
The skill schedules a fallback that can submit pet transactions after user inaction rather than after a fresh approval.
If you don't reply, I'll auto-pet in ${FALLBACK_HOURS} hour(s). ... (sleep "$FALLBACK_SECONDS" && bash "$SCRIPT_DIR/auto-pet-fallback.sh" >> /tmp/auto-pet-fallback.log 2>&1) &Enable fallback only if you want unattended transactions; use dry-run first and prefer an explicit confirmation step before Bankr submission.
A mismatch in transaction encoding documentation could cause users to approve or automate a Bankr transaction whose method is not clearly verified by the artifacts.
This is the calldata selector used for submitted transactions, but `references/contract-info.md` documents the interact selector as `0xbafa9107`, creating ambiguity about the exact contract method being called.
local selector="22c67519" ... printf '0x%s%s%s%s\n' "$selector" "$offset" "$length" "$payload"
Verify the contract ABI/function selector before enabling live transactions, and make the docs and code agree.
Anyone enabling this skill is granting it access to the Bankr transaction-submission path configured on the machine.
The skill uses a Bankr credential capable of submitting transactions. This is expected for the stated Bankr integration, but it is sensitive account authority.
This skill submits transactions directly to Bankr API and resolves API key from: 1. `BANKR_API_KEY` env 2. `systemctl --user` exported environment 3. `~/.openclaw/skills/bankr/config.json`
Use a limited/revokable Bankr API key if possible, protect the config files, and remove the key if you stop using the skill.
Your wallet address, gotchi IDs, and readiness status may be visible in the configured Telegram chat/service.
Reminder messages can send the wallet address and gotchi IDs to Telegram. This is aligned with reminder functionality, but it is an external data flow.
Wallet: ${WALLET}\nGotchis: ${GOTCHI_LIST} ... send_telegram_message "$CHAT_ID" "$NOTIFY_MSG"Use a trusted private chat ID and avoid enabling Telegram reminders if you do not want this status shared there.
If started or scheduled, the automation may keep operating indefinitely and continue submitting pet transactions as cooldowns allow.
The script runs an unbounded loop that waits for readiness, calls the batch pet transaction flow, then continues cycling.
while :; do ... if OUT="$(bash scripts/pet-all.sh 2>&1)"; then ... sleep "$POST_PET_SETTLE_WAIT" ... done
Only start this process intentionally, document how to stop it, and check cron/at/background jobs and logs after testing.