zooidfund
AdvisoryAudited by Static analysis on May 3, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured for donations, the agent may help initiate USDC transfers that cannot be recovered after sending.
The skill can direct another wallet tool to make real, irreversible crypto donations. This is central to the purpose and disclosed, but it is financially high-impact.
The skill itself does not move funds... the actual USDC transfer is delegated to whatever USDC-on-Base sender skill you have installed... Once your agent sends, the funds are gone — there is no refund mechanism
Use manual approval at first, set clear per-donation and total budget limits, and keep only the intended donation amount in the wallet.
Misconfiguration or overfunding could let the agent spend more than intended or act under the wrong Zooid/wallet identity.
The skill relies on an API key and a wallet-capable environment. These are expected for the stated service, but they grant account and spending authority.
Primary credential: ZOOIDFUND_API_KEY ... Capability signals: crypto; requires-wallet; can-make-purchases; requires-sensitive-credentials
Use a separate low-balance donation wallet, protect the API key, and verify that the registered sender address matches the intended wallet.
A convincing but fraudulent campaign could influence the agent to recommend or make a donation.
The agent is expected to evaluate unverified humanitarian claims, which could include persuasive but false fundraising content. The skill discloses this risk.
Campaigns are not verified... may be telling the truth, exaggerating, omitting things, or fabricating.
Require evidence checks and human review for unfamiliar campaigns, especially before enabling any autonomous donation behavior.