ClawHub
Back to skill
v1.0.0

test

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:29 AM.

Analysis

The skill is clearly for minting an NFT, but it asks an agent to sign and submit a Solana transaction with a funded wallet, which deserves careful review before use.

GuidanceOnly use this skill if you intentionally want to mint this NFT and pay the stated SOL fees. Use a low-balance burner wallet, never expose a main wallet keypair, and inspect or confirm the Solana transaction in a trusted wallet before signing.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
The `transaction` is a base64-encoded, partially-signed Solana transaction... Deserialize and sign with your Solana keypair... `tx.sign([yourKeypair]);`

The agent is instructed to sign an opaque transaction produced by the remote backend; the artifact does not instruct the user or agent to inspect the transaction contents or obtain explicit approval before signing.

User impactA signed blockchain transaction can spend SOL and change wallet state, and blockchain actions are difficult or impossible to reverse.
RecommendationRequire explicit user confirmation before signing, inspect the transaction in a trusted wallet or decoder, and use a low-balance burner wallet for the mint.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
- A **Solana wallet keypair** with at least **0.02 SOL** for network fees

The skill requires access to a funded wallet keypair, which is sensitive financial authority even though it is purpose-aligned with minting.

User impactIf the agent can access or use the wallet keypair, it can authorize transactions from that wallet during the mint flow.
RecommendationDo not expose a main wallet or high-value keypair; use a dedicated wallet with only the needed SOL and verify every transaction before signing.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
curl -X POST https://chum-production.up.railway.app/api/villain/challenge ... `"walletAddress": "YOUR_SOLANA_PUBLIC_KEY"` ... POST `/villain/execute` ... `"transaction": "<base64_encoded_signed_transaction>"`

The flow sends the user's public wallet address and the signed transaction to the CHUM API, which is expected for this minting workflow but should be noticed.

User impactThe service can associate the wallet address with the mint attempt and receives the signed transaction for submission.
RecommendationUse the service only if you are comfortable with it seeing the wallet address and mint activity; prefer a wallet dedicated to this NFT mint.