ClawHub

Aavegotchi GBM Skill

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a transparent crypto-auction helper, but it needs a wallet private key and can make irreversible Base transactions when dry run is disabled.

Install only if you are comfortable letting the agent prepare Web3 transaction commands. Use a dedicated wallet with limited funds, verify all contract addresses and auction details, keep DRY_RUN=1 by default, and only set DRY_RUN=0 after giving a specific, reviewed instruction to broadcast.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI02: Tool Misuse and Exploitation
What this means

If the user disables dry run and approves or sends the wrong transaction, wallet assets or NFT permissions could be affected irreversibly on Base mainnet.

Why it was flagged

The skill documents cast send commands that can grant NFT operator approval and submit onchain transactions. This matches the auction-management purpose and is marked as broadcast-only when explicitly instructed, but the action is high-impact.

Skill content
Set approval (broadcast; do this only when explicitly instructed):
```bash
~/.foundry/bin/cast send "<NFT_CONTRACT_ADDRESS>" 'setApprovalForAll(address,bool)' "$GBM_DIAMOND" true \
  --private-key "$PRIVATE_KEY"
Recommendation

Keep DRY_RUN=1 until you have verified the auction, contract address, token ID, amount, and recipient. Only broadcast one specific transaction at a time, and consider revoking approvals after use.

High
#ASI03: Identity and Privilege Abuse
What this means

Anyone or any tool with this private key can sign transactions for the wallet, so compromise or misuse could lead to asset loss.

Why it was flagged

The skill requires a raw wallet private key for transaction signing. This is expected for the stated blockchain execution purpose and the artifact says not to print it, but the credential controls wallet funds and assets.

Skill content
- `PRIVATE_KEY`: EOA private key used for `cast send` (never print/log).
Recommendation

Use a dedicated low-balance wallet or narrowly funded operational key, not a primary wallet. Never paste the private key into chat, logs, screenshots, or untrusted shells.