BFunbot Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent and disclosed, but it can use a BFunBot API key for wallet-funded credit reloads, BSC token creation, and LLM-provider routing, so users should enable permissions carefully.
Install only if you trust BFunBot and need these BSC/credit/LLM features. Create a limited API key, avoid enabling Agent Reload unless necessary, set conservative reload limits, require confirmation before paid or on-chain actions, and be aware that LLM Gateway prompts may be sent to BFunBot.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked unintentionally, the agent could create public on-chain assets or spend trading-wallet funds on BFun.bot Credits.
The API exposes high-impact mutation endpoints that can create on-chain tokens and reload credits from a wallet. This matches the skill purpose, but these actions should be explicitly user-approved.
POST | `/token/create` | Create token on-chain (async) ... POST | `/balance/credits/reload` | Reload BFun.bot Credits from trading wallet
Require a clear confirmation step for every token creation and credit reload, including token details, chain, platform, amount, and expected cost.
A broadly permissioned key could allow the agent to access account data, use paid LLM credits, create tokens, or reload credits if those permissions are enabled.
The skill requires a BFunBot API key and can optionally add LLM and Agent Reload privileges. These permissions are purpose-aligned but grant meaningful account and billing authority.
**Auth:** API key required — get yours at [bfun.bot/settings/api-keys](https://bfun.bot/settings/api-keys) ... Enable **BFun LLM Gateway** ... Enable **Agent Reload**
Use a least-privilege API key, enable Agent Reload only if needed, set low daily limits, and rotate or revoke the key if the skill is no longer used.
Private prompts, files, or conversation context may be processed through BFunBot's LLM gateway and billed to BFun.bot Credits.
Configuring the LLM Gateway routes model requests through BFunBot's provider endpoint. This is disclosed and optional, but user prompts and any included context may be sent to that service.
This step registers BFunBot as your agent's AI model provider ... point your `base_url` to `https://llm.bfun.bot/v1` with your `bfbot_...` API key
Only enable the LLM Gateway if you trust BFunBot with the data your agent may send, and avoid sending secrets or sensitive files unless necessary.
Installing from a moving branch could expose users to future changes that were not part of this review.
The install documentation points to a GitHub main-branch path rather than a pinned release or commit. The reviewed package itself contains no executable code, so this is a provenance note.
**Install:** `install the bfunbot skill from https://github.com/BFunBot/skills/tree/main/bfunbot`
Prefer installing a pinned release or commit, and review any GitHub-sourced version before installing.