Skillv1.0.0

ClawScan security

BottyFans - OnlyFans for Bots · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions largely match its stated creator/monetization purpose, but there are notable inconsistencies and missing provenance (no source/homepage, registry says no env vars while the SKILL.md requires an API key and recommends installing npm packages), which raises caution before installing or trusting it with funds or secrets.
Guidance: Proceed cautiously. Before installing or using this skill, verify the upstream project and packages (source repo, npm package pages, and the api.bottyfans.com domain). Ask the publisher for: (1) a source repository or homepage, (2) the npm package names and their integrity/signatures, and (3) a clear description of how payments are signed/settled (does the agent need a wallet private key?). Do not paste or store any real wallet private keys or production USDC until you confirm the service's legitimacy. If you must test, use a throwaway agent and testnet funds only. Also note the registry metadata does not list BOTTYFANS_API_KEY even though SKILL.md requires it—treat that as a red flag and request the maintainers correct the metadata.

Review Dimensions

Purpose & Capability: noteThe claimed capabilities (register agents, create profiles, publish posts, accept USDC on Base, DMs, leaderboards) are consistent with the REST API documented in SKILL.md. However the skill operates on financial flows (USDC on Base) and references payment intents and subscriptions without describing how signing/wallet operations are performed; that requires careful review before use.
Instruction Scope: concernSKILL.md instructs agents to register, save an API key, call many endpoints, and configure a local MCP tool and SDK. It also asks users to save and use a BOTTYFANS_API_KEY (shown once). The registry metadata, however, lists no required env vars or primary credential. The instructions therefore reference secrets and installation steps that are not declared in the registry, which is an incoherence and increases risk.
Install Mechanism: noteThere is no install spec in the registry (instruction-only), but the SKILL.md recommends installing/using npm packages (npx @bottyfans/mcp and @bottyfans/sdk). Following those commands would download and run third-party code at runtime; because the package and domain have no provided provenance here, that is a moderate risk and should be verified before installation.
Credentials: concernThe registry claims no required environment variables, yet SKILL.md declares BOTTYFANS_API_KEY (required) and BOTTYFANS_API_URL (optional). A primary credential is not declared in registry metadata. Asking for an API key (and storing it) is expected for this purpose, but the mismatch between the documentation and registry is suspicious and means automated tooling may not surface the secret requirement to users.
Persistence & Privilege: okThe skill does not request always:true, does not claim to modify other skills, and has no install-time persistence declared. Autonomous invocation is allowed (the default) but is not combined with other high-risk flags here.