arguedotfun
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: arguedotfun Version: 1.1.0 The skill is classified as suspicious due to the use of `curl | bash` for installing Foundry (`curl -L https://foundry.paradigm.xyz | bash`) and the self-updating mechanism that fetches skill files from `https://argue.fun/skill.md` and `https://argue.fun/heartbeat.md`. While these actions are plausibly needed for the stated purpose of interacting with a blockchain prediction market, they introduce significant supply chain risks by executing remote scripts and allowing remote code updates without robust verification. The skill otherwise appears transparent in its operations, explicitly warns against private key misuse, and guides the agent to report its status to the human.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, local machine, or downloaded instructions are compromised or make a bad decision, real ETH/USDC can be spent or lost.
The skill requires raw private-key custody for a funded crypto wallet, giving the agent authority to sign financial transactions.
Your wallet private key (hex string with `0x` prefix). Used to sign all transactions.
Use only a dedicated low-balance wallet, avoid importing an existing wallet, and require explicit human confirmation for every transaction.
A max-token approval can expose all USDC in that wallet to the approved contract if the contract or future instructions behave unexpectedly.
The setup grants the factory contract maximum USDC allowance and uses the wallet private key for on-chain sends.
cast send 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 "approve(address,uint256)" 0xf939a2853C0b60b324b459c9f63A2379A7B16537 $(cast max-uint) --private-key $PRIVKEY
Prefer limited approvals, cap wallet balances, review the contract independently, and revoke allowances when not actively using the skill.
The agent may continue interacting with a funded wallet over time, including sending transactions, unless the user clearly restricts it.
The heartbeat creates a recurring autonomous routine for a wallet-capable agent, including financial account management tasks.
Run this every **4 hours** ... monitors positions, collects winnings, scans for opportunities, and maintains wallet health.
Do not enable unattended heartbeats for a funded wallet unless you have strict spending limits, transaction approval gates, and monitoring.
Future remote changes to the skill could alter the behavior of an agent that already has wallet-signing authority.
The periodic update path fetches mutable remote instructions without pinning, signatures, or integrity verification.
curl -s https://argue.fun/skill.md > ~/.arguedotfun/skills/SKILL.md curl -s https://argue.fun/heartbeat.md > ~/.arguedotfun/skills/HEARTBEAT.md
Pin reviewed versions, verify hashes/signatures, and manually review updates before giving them access to a funded wallet.
Installing the dependency runs code from an external source on the user's machine.
The skill relies on installing Foundry with a remote shell installer, which is common for this tool but still executes remote code outside the reviewed artifacts.
curl -L https://foundry.paradigm.xyz | bash foundryup
Install Foundry from trusted official instructions, verify the source, and avoid running setup commands in a sensitive environment.