clawdio
ReviewAudited by ClawScan on May 10, 2026.
Overview
Clawdio is a coherent paid audio-report API, but its instructions can let an agent-connected crypto wallet automatically spend USDC without a clearly stated approval or spending limit.
Only use this skill with a dedicated low-balance wallet and explicit purchase approval. Confirm the product ID, price, and domain before each paid request, and save purchased artifacts because the skill says repeat access requires repurchase.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could spend USDC from a connected wallet when following purchase links, including repeated purchases if the same report is requested again.
A normal GET request to a purchase URL can trigger an automatic wallet-signed payment. The artifacts do not state an explicit user approval, budget, or per-purchase confirmation requirement.
“The x402 payment is handled **automatically** via the `PAYMENT-SIGNATURE` header” and “The purchase endpoint uses GET, not POST.”
Require explicit user approval before any purchase, set wallet spending limits, verify the report ID and price before payment, and cache purchased artifacts to avoid repeat charges.
Connecting a funded wallet gives the agent a payment capability that can affect real funds.
The skill depends on delegated wallet authority to sign and settle payments, but the artifacts do not define which wallet/account may be used, a maximum spend, or a revocation/approval boundary.
“You need an **x402-compatible wallet** funded with USDC on Base Mainnet” and “your wallet provider manages the signing and settlement.”
Use a dedicated low-balance wallet, configure x402 spending controls if available, and do not allow autonomous purchases without confirmation.
Users may have less registry-level assurance about the provider before connecting a wallet.
There is no runnable package risk here, but the registry provenance is sparse for a skill that directs users to an external paid API and wallet-based payment flow.
“Source: unknown” and “Homepage: none”; install specification says “No install spec — this is an instruction-only skill.”
Verify the domain, provider identity, and x402 payment terms independently before use.