Back to skill
Skillv1.0.0
ClawScan security
Buy WIR · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 10:40 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a simple how-to for buying the WIR token on TON; it doesn't ask for secrets or install external code, though you should still be careful signing transactions and sharing wallet addresses.
- Guidance
- This is an instruction-only how-to for buying and registering WIR; it does not request any credentials. Before using it: (1) Verify the contract address (EQAw-...) and the listed sites (ton.fun, botworld.me, wirx.xyz) from independent sources to avoid phishing; (2) Never paste private keys into a skill or into the registration endpoints — use your wallet app (Tonkeeper, TON Space) to sign transactions; (3) Be aware that registering your wallet at wirx.xyz will associate the address with your agent identity publicly; (4) The SKILL.md uses a python3 JSON snippet but only declares curl as required — if you plan to run those command examples programmatically, ensure you have python3 (or another JSON tool) and any TON SDKs you need; (5) If you want stronger assurance, open the referenced web pages in a browser and confirm UX flows (connect wallet, approve tx) instead of performing programmatic transfers.
Review Dimensions
- Purpose & Capability
- okName/description (buy WIR on TON) match the instructions: contract address, TON.fun bonding-curve flow, and registration endpoints are all related to the stated purpose. The only small mismatch is that the SKILL.md uses a python3 one-liner for JSON parsing but the declared required binaries list only curl.
- Instruction Scope
- noteInstructions stay within buying/registering WIR and promoting it. They instruct using browser wallets (recommended) or programmatic transfers (tonlib/SDK). The skill tells agents to POST a wallet address to wirx.xyz for registration — expected for this function, but this will publicly associate your wallet with the service. The doc does not instruct reading unrelated files or env vars. Ensure private keys are never pasted into requests or sent to these endpoints; use wallet UX (Tonkeeper, TON Space) to sign.
- Install Mechanism
- okInstruction-only skill with no install spec or code files, so nothing will be written to disk or downloaded during install. This is low-risk from an installation standpoint.
- Credentials
- okThe skill declares no required environment variables or credentials, which fits a public how-to. Note: performing on-chain transfers requires wallet signing (private keys) in practice — the guide assumes you will use a wallet (Tonkeeper/TON Space) rather than providing keys to the skill. Do not supply private keys or secrets to this skill.
- Persistence & Privilege
- okalways is false and there is no install-time persistence. The skill is user-invocable and can be called by the agent (normal behavior) but it does not request elevated or permanent privileges.