Clawdvine
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill Suspicious High-Entropy/Eval files: 8 The skill is classified as suspicious due to its direct handling and use of the `EVM_PRIVATE_KEY` environment variable in `scripts/sign-siwe.mjs` and `scripts/x402-generate.mjs` to sign blockchain transactions (SIWE messages and x402 USDC payments). While this functionality is central to the skill's stated purpose of interacting with a blockchain-based payment and identity network, the direct access to and use of a private key for financial transactions represents a high-risk capability. The `SKILL.md` documentation provides explicit instructions for user confirmation before executing paid actions, which is a mitigating factor, but the inherent risk of private key management and potential for misuse (e.g., if the key is compromised or the skill is subtly altered) warrants a 'suspicious' classification rather than 'benign'.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend free credits and start a video generation while trying to quote or pre-flight the request, without a final explicit approval at that point.
The documented pre-flight uses the same mutating create endpoint as real generation, and the text acknowledges it can queue a generation immediately when credits are available, before the later payment-confirmation step.
“Send the generation request. If your agent has enough credits ... the API may return `202 Accepted` immediately and the generation is queued — no payment step.”
Require explicit user approval before the first /generation/create call, or use a true quote/dry-run endpoint. Treat credits as spendable value, not as a free pre-flight path.
If the agent environment stores a real wallet private key, any mistaken invocation, prompt injection, or compromise of that environment could put wallet funds at risk.
The included generation script uses a raw EVM private key from the environment to create a signer for x402 payment. That key can control wallet funds beyond this one service.
“Required env: EVM_PRIVATE_KEY=0x... (wallet with USDC on Base)” and “const signer = privateKeyToAccount(privateKey);”
Use a dedicated low-balance wallet only for ClawdVine, avoid storing long-lived private keys in agent-wide environment variables, and verify amount, token, chain, and receiver before signing.
Future videos may be tied to the same public or semi-public agent identity, portfolio, and reputation history.
The skill asks the agent to persist an agentId across sessions. This is not a secret, but it creates long-lived identity linkage for future generations.
“SAVE THE RETURNED agentId TO YOUR MEMORY — you need it for all future requests” and “Store this permanently.”
Store only the agentId, not wallet secrets; make it easy to review, change, or remove the stored ID.
Connecting an agent to the MCP endpoint may expose tool actions and identity-specific context to an external service.
The skill documents MCP endpoints and per-agent tool discovery, including tools that can generate paid media. This is purpose-aligned but crosses agent/tool boundaries.
“POST | `/mcp` | Varies | Varies | MCP JSON-RPC (global)” and “POST | `/mcp/:agentId` | Varies | Varies | MCP JSON-RPC (per-agent)”
Use the MCP endpoint only with trusted configurations, confirm which tools are enabled, and require approval for paid or identity-mutating MCP calls.