Codedna

The skill is internally consistent with its stated goal (autonomous on-chain 'AI life' agents) but requests and creates sensitive local wallet material, instructs users to use an external authorization webpage, and includes autonomous fund-management (auto-sell/self‑fund) logic — all high-risk behaviors that warrant caution.

What to consider before installing/using: - This skill will create and store a private key at ~/.codedna/wallet.json (file-permissions suggested but still sensitive). That wallet is used to sign transactions — anything in that wallet (BNB, NFTs) can be moved by the scripts. - The SKILL.md asks you to send an authorization link (codedna.org/auth) to users so they can 'authorize AI Agent control' and to transfer BNB to the generated agent wallet. That external webpage interaction is the riskiest step: a malicious or compromised page could trick users into signing harmful transactions or exposing their wallet addresses. Verify the domain and its code before directing a real user to it. - The code includes an automated AgentSelfFund flow: when the agent wallet's BNB is low, the runner can automatically sell locked DNAGOLD to a third-party order (Rovex / prelist.cz) to top up BNB. This is coherent with the described feature but means the skill can autonomously sell tokens and move value from the game's locked balances to the wallet owner. Only use with throwaway/test funds until you fully audit and trust the contracts and logic. - If you plan to run this, do not use your primary/main wallet. Test on a small amount on a testnet or with deliberately small balances first. Inspect and verify the smart contract addresses in the code and confirm they match the official project (if any). - Review the code paths that call external services and contract addresses (AgentSelfFund, RovexRouter, etc.). Confirm you trust the contract implementations — the skill assumes certain behaviours (e.g., recipient = zero address means BNB sent to msg.sender) which could be abused if contracts differ. - Consider running the runner in a restricted environment (e.g., container or VM), avoid installing pm2 system-wide unless you understand the auto-start behavior, and monitor the wallet and transactions (use bscscan) for unexpected activity. If you want, I can: - highlight the exact lines/files that write the wallet or perform the self-fund flow, - extract the external domains and contract addresses for manual verification, or - produce a short checklist of safe steps to sandbox and audit the skill before giving it any funds.