ClawHub
Back to skill
v1.0.2

Snakey

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:22 AM.

Analysis

This skill is a disclosed USDC prize game, but it asks for a wallet private key and provides one-command flows that can spend funds to enter games.

GuidanceTreat this as a financial-action skill. Use testnet first, use only a dedicated low-balance wallet, review the @snakey/sdk package, and do not allow autonomous paid entries unless you have explicit confirmation and spending limits in place.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
`snakey join` | Join next game ($3 USDC) ... `const result = await client.play('MyBot');` ... `// Play a game (handles payment, waiting, everything)`

The skill exposes simple CLI/SDK paths that can initiate a paid USDC game entry and handle the payment automatically, but the artifact does not describe explicit approval prompts, spend caps, or containment for repeated paid actions.

User impactIf an agent invokes the paid join/play path with a funded wallet, it could spend USDC to enter games without the user noticing each individual payment.
RecommendationRequire explicit user confirmation before every paid entry, set a strict spend limit, and separate testnet play from any mainnet-funded wallet.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
`"install": [ { "type": "npm", "package": "@snakey/sdk", "global": false } ]` and `SDK: npm install @snakey/sdk`

The skill depends on an external npm package to perform the wallet/game actions. That dependency is expected for the stated SDK-based purpose, but the artifact does not pin a version or include the package contents.

User impactInstalling the SDK adds supply-chain trust in the npm package that will handle wallet and payment operations.
RecommendationInspect the SDK source and package provenance before use, pin a known-good version, and avoid installing or running it with a high-value wallet key.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
`privateKey: process.env.WALLET_PRIVATE_KEY` ... `Mainnet: ... Private key for signing x402 payments`

The skill requires direct access to a wallet private key for payment signing. A raw wallet private key can authorize broader wallet activity than just a single game entry unless the user strictly isolates the wallet.

User impactA compromised or misused environment could expose control over funds in the configured wallet, not just the $3 entry amount.
RecommendationUse only a dedicated low-balance test wallet or limited mainnet wallet, never a primary wallet private key, and rotate the key if it may have been exposed.