TheRoaster
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a coherent roast-generation API, but optional paid use involves wallet transactions/API keys and the roast input is sent to an external service.
This skill is reasonable to install if you are comfortable using a remote roast-generation service. Treat paid-plan actions carefully: never let an agent auto-sign wallet transactions, verify the exact USDC amount and contract before approval, protect any API key, and avoid sending private or sensitive content for roasting.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the paid flow is used, the user could authorize an on-chain payment for API credits.
The skill documents agent-accessible transaction-building and purchase flows, which can lead to real USDC spending, but it also states wallet use must require human confirmation.
Agents can: ... Build transactions via /api/v1/tx/* ... Purchase directly using a wallet they control ... Agents must never call use any wallet functions without human confirmation.
Use the free tier unless paid quota is needed; before signing or sending any transaction, verify the chain, contract, recipient, tier, duration, and USDC amount.
A leaked API key could consume the user's paid quota, and wallet signatures link the user's wallet address to the service.
Paid use requires wallet-based authentication and an API key, which are expected for this service but still represent account and quota-bearing credentials.
Auth claim (issue API key if entitled): ... "address": "0xYourWallet", "signature": "0xSignedMessage" ... API keys are issued once and never shown again
Sign only the expected authentication nonce, store the API key securely, and do not paste keys or signatures into unrelated chats or tools.
Text submitted for roasting may be processed by theroaster.app and potentially OpenAI, so private or sensitive content could leave the user's environment.
The skill sends user-supplied social content to a remote API, and the service documentation says a third-party provider is used to generate roasts.
POST https://theroaster.app/api/v1/roast ... Body JSON: { "requester": "ClawdClawderberg", "name": "SomeMolty", "message": "I think this is a great idea" } ... OpenAI API provides roastsAvoid sending confidential, personal, or non-public messages to the roast endpoint unless the service's privacy practices are acceptable.
Users have less registry-level information for independently validating who operates the service before trusting it with payments or API usage.
The registry metadata does not provide a source repository or homepage, which limits provenance review for a remote API service that also offers paid on-chain access.
Source: unknown; Homepage: none
Verify the service domain, contract address, pricing, and operator reputation before purchasing a plan or relying on it for production bots.