ClawHub
Back to skill
v0.1.0

DanceArc

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:57 AM.

Analysis

DanceArc is a coherent instruction-only guide for Arc Testnet payment flows, but users should handle its payment actions, Circle credentials, and private keys carefully.

GuidanceThis skill appears safe as an instruction-only payment-protocol reference. Before installing or using it, verify the GitHub repository, keep Circle secrets and private keys out of browser/agent contexts, and only run payment or burst-demo flows when you intentionally want to send Arc Testnet USDC.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
references/payment-flow.md
Switch wallet to **Arc Testnet** (`5042002`); send **native USDC** `value` transfer to `payTo` for at least the required amount (human confirms in wallet).

The skill documents blockchain payment actions. This is expected for a payment-protocol guide and includes human wallet confirmation, but it is still financial-action guidance.

User impactFollowing the workflow can initiate USDC testnet transfers and retry paid API calls.
RecommendationConfirm chain, recipient, and amount before any payment; keep payment actions user-directed, especially outside test/demo environments.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
SKILL.md
git clone https://github.com/arunnadarasa/dancearc.git
cp -r dancearc/skills/dancearc-protocol ~/.openclaw/skills/dancearc-protocol

The package itself is instruction-only, but its recommended manual install path depends on a GitHub repository outside the provided artifact bundle.

User impactA user who follows the manual install may trust files from the external repository that were not included in this scan context.
RecommendationReview the repository, pin a trusted commit where possible, and avoid running repository scripts until inspected.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`CIRCLE_API_KEY` | Server | Gateway verify; DCW; faucet ... `CIRCLE_ENTITY_SECRET` | Server | DCW only ... `ARC_BURST_PRIVATE_KEY` | Machine | **Test only** — CLI burst

The documentation references API credentials, an entity secret, and a private key. These are purpose-aligned for Circle/wallet/payment demos, but they are sensitive and not declared in registry requirements.

User impactIf configured improperly, these credentials could authorize wallet, faucet, or provider operations beyond a simple documentation lookup.
RecommendationUse scoped test credentials, keep secrets server-side, never expose private keys to browser or agent contexts, and rotate keys if they are shared accidentally.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
references/payment-flow.md
If `CIRCLE_API_KEY` set → `POST` Circle Gateway `/v1/gateway/v1/x402/verify`

The skill discloses a third-party provider verification call. This is aligned with the stated Circle Gateway integration, but users should understand that payment verification data may be sent to Circle.

User impactPayment or wallet verification metadata may be handled by an external provider when that integration is enabled.
RecommendationUse the integration only with appropriate consent, understand what data is sent to Circle, and keep provider credentials scoped and protected.