Skillv2.4.4

ClawScan security

Pet Me Master - Autonomous Aavegotchi Petting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 22, 2026, 4:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior generally matches 'batch-pet via Bankr', but there are multiple mismatches and scope-creep (config/schema inconsistencies, different code paths reading other skill/system config, hard-coded offsets/selectors, and self-perpetuating scheduling) that warrant careful review before installing.
Guidance: What to check before installing or running this skill: - Confirm you trust Bankr and the BANKR_API_KEY you will provide. The skill will submit transactions using that key and will attempt to read the key from env, systemctl user env, or other Bankr config files. - Inspect and correct your config.json. There are inconsistent config schemas across docs and scripts (some scripts expect .gotchiIds and walletAddress, others expect .wallets[] entries). Ensure your file matches the script you intend to run. - Test in dry-run mode first (many scripts support --dry-run or pet-all.sh will emit a dry-run JSON) and run commands manually before enabling automation. - Review the transaction calldata logic. I noticed mismatches in documentation vs code (different function selector noted in references vs encode_interact_calldata). That can cause incorrect calldata/failed transactions — ask the maintainer or verify the calldata with a safe dry-run. - Be aware this skill schedules persistent background jobs (at/cron/sleep). If you enable automation (init-automation), it will create scheduled work that runs indefinitely and can submit real transactions if conditions are met. Only enable after you confirm behavior and set appropriate safeguards. - Because the scripts read other files (~/.openclaw/skills/bankr/config.json) and probe systemctl environment, keep sensitive keys limited and consider using a throwaway Bankr key with minimal privileges for testing. If the maintainer can provide a single canonical config spec and confirm the correct interact() selector/calldata encoding, and if you validate Bankr's API behavior in dry-run mode, the inconsistencies look like sloppy engineering rather than malicious intent. Until then, treat it cautiously and run as a human-in-the-loop rather than granting fully unattended automation.

Review Dimensions

Purpose & Capability: noteDeclared purpose (batch-petting via Bankr) aligns with required binaries (cast, jq, curl, python3) and BANKR_API_KEY. However there are inconsistencies: several files expect different config schemas (README/SKILL.md examples use config.walletAddress/gotchiIds, while scripts/pet-all-bankr.sh expects ~/.openclaw/.../config.json to contain .wallets[] objects). clawhub.json lists dependencies (foundry, bankr-cli, bc) that are not enforced by SKILL.md. These mismatches are sloppy and could lead to surprises.
Instruction Scope: concernRuntime instructions and scripts legitimately query the chain, call Bankr API, and send Telegram notifications. But the skill also: (a) tries to read Bankr config files belonging to another skill (~/.openclaw/skills/bankr/config.json and workspace variant), (b) will call systemctl --user to read exported environment variables, (c) schedules recurring background jobs (at, cron or background sleep) and asks the agent to create cron jobs. Reading other skill config and systemctl environment and installing persistent scheduled tasks expands the scope beyond a simple 'one-off' action — user should expect persistent automation and cross-skill config access.
Install Mechanism: okNo external install/download spec; this is instruction- + script-based. Nothing in the manifest downloads or executes code from untrusted URLs. Code is included in the package, so install risk is limited to running local scripts.
Credentials: noteThe only explicitly required env var is BANKR_API_KEY which is reasonable for submitting transactions via Bankr. The code also reads PET_ME_* and TELEGRAM_* environment variables (for wallet/chat resolution) and will probe systemctl user environment and other skill config files for the Bankr API key. That behavior is consistent with the feature but raises a mild privacy/credential-surface concern: it will attempt to discover the Bankr key from multiple places and will access another skill's config file if present.
Persistence & Privilege: concernThe package intentionally implements persistent automation: it schedules at/cron jobs, spawns background sleeps, and provides an init-automation script that asks an agent to create cron jobs. Although always:false (not force-installed), once a user runs the init/setup the skill can self-perpetuate and run unattended transactions via Bankr. This persistent capability combined with transaction submission privileges increases blast radius and deserves explicit user consent and periodic review.