Clawdvine
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This paid video-generation skill mostly matches its stated purpose, but it asks the agent to handle a raw crypto wallet private key and its documented “pre-flight” call can start a generation and spend credits before final approval.
Install only if you are comfortable with crypto-wallet payment flows. Use a dedicated low-balance Base wallet, do not place a main wallet private key in the agent environment, require confirmation before any generation or credit spend, and review the full SKILL.md around the system-prompt section before use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend free credits and start a video generation while trying to quote or pre-flight the request, without a final explicit approval at that point.
The documented pre-flight uses the same mutating create endpoint as real generation, and the text acknowledges it can queue a generation immediately when credits are available, before the later payment-confirmation step.
“Send the generation request. If your agent has enough credits ... the API may return `202 Accepted` immediately and the generation is queued — no payment step.”
Require explicit user approval before the first /generation/create call, or use a true quote/dry-run endpoint. Treat credits as spendable value, not as a free pre-flight path.
If the agent environment stores a real wallet private key, any mistaken invocation, prompt injection, or compromise of that environment could put wallet funds at risk.
The included generation script uses a raw EVM private key from the environment to create a signer for x402 payment. That key can control wallet funds beyond this one service.
“Required env: EVM_PRIVATE_KEY=0x... (wallet with USDC on Base)” and “const signer = privateKeyToAccount(privateKey);”
Use a dedicated low-balance wallet only for ClawdVine, avoid storing long-lived private keys in agent-wide environment variables, and verify amount, token, chain, and receiver before signing.
If the omitted context tells an agent to rewrite or prioritize new system instructions, it could influence behavior beyond simple video generation.
The static scan reports system-prompt wording inside the skill. The surrounding context is not visible in the supplied truncated SKILL.md, so this is only a cautionary instruction-scope note.
“**Setting your system prompt:**”
Review the full SKILL.md around this section before installation and do not allow skill text to override platform, developer, or user instructions.
Future videos may be tied to the same public or semi-public agent identity, portfolio, and reputation history.
The skill asks the agent to persist an agentId across sessions. This is not a secret, but it creates long-lived identity linkage for future generations.
“SAVE THE RETURNED agentId TO YOUR MEMORY — you need it for all future requests” and “Store this permanently.”
Store only the agentId, not wallet secrets; make it easy to review, change, or remove the stored ID.
Connecting an agent to the MCP endpoint may expose tool actions and identity-specific context to an external service.
The skill documents MCP endpoints and per-agent tool discovery, including tools that can generate paid media. This is purpose-aligned but crosses agent/tool boundaries.
“POST | `/mcp` | Varies | Varies | MCP JSON-RPC (global)” and “POST | `/mcp/:agentId` | Varies | Varies | MCP JSON-RPC (per-agent)”
Use the MCP endpoint only with trusted configurations, confirm which tools are enabled, and require approval for paid or identity-mutating MCP calls.