Snakey
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real game integration, but it asks an agent/SDK to use a raw wallet private key and can automatically spend USDC without documented spending limits or confirmations.
Review carefully before installing. If you use it, start on testnet with a fresh wallet, keep only minimal funds available, pin and inspect the SDK, and require explicit approval before any command or workflow that joins a game or signs a payment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is for a funded wallet, the agent or SDK could authorize payments or other wallet actions beyond what the user intended.
The skill requires a raw wallet private key for payment signing. That is high-impact financial authority, and the artifacts do not show scoping to a dedicated low-balance wallet or testnet-only use.
privateKey: process.env.WALLET_PRIVATE_KEY ... Mainnet: Wallet with USDC on Base network ... Private key for signing x402 payments
Use only a fresh, dedicated testnet or very low-balance wallet, never a primary wallet, and require manual approval for any paid join.
An agent could repeatedly enter paid games and spend wallet funds without the user noticing each transaction.
The documented workflow can automatically join games and handle payments, and the rules state each entry is '$3 USDC via x402 payment'; no user confirmation or spending limit is documented.
// Creates wallet, claims faucet, joins game - all automatic ... // Play a game (handles payment, waiting, everything)
Configure the agent to ask before running join/play actions, set strict per-session spending limits, and verify whether the endpoint is testnet or mainnet before use.
Users must trust code that was not reviewed here to safely handle wallet credentials and payment operations.
The skill depends on an unversioned npm package whose code is not present in the artifact set, yet that package is used in examples that receive the wallet private key and perform payment flows.
"install": [{ "type": "npm", "package": "@snakey/sdk", "global": false }] ... import { SnakeyClient } from '@snakey/sdk';Inspect and pin the exact @snakey/sdk version before installing, and avoid giving it a private key for any wallet containing meaningful funds.